Vaadin ZIP Archive Path Traversal Vulnerability During Node.js Extraction

A path traversal vulnerability has been identified in Vaadin versions 14.2.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.8, and 25.0.0 through 25.0.2. This vulnerability arises during the automatic download and extraction of Node.js by Vaadin's build process. If an attacker can intercept or control this download—through methods such as DNS hijacking, a man-in-the-middle attack, a compromised mirror, or a supply chain attack—they can deliver a malicious ZIP archive. This archive can contain path traversal sequences that exploit the extraction process, allowing files to be written outside the designated directory, potentially anywhere the application has write permissions.

Impact

Exploitation of this vulnerability could lead to arbitrary file writing outside the intended extraction directory, potentially allowing for further exploitation depending on the written files and their context.

Remediation

Users should upgrade to a fixed version of Vaadin. The following upgrade paths are available: - Vaadin 14.2.0 - 14.14.0: Upgrade to 14.14.1 - Vaadin 23.0.0 - 23.6.6: Upgrade to 23.6.7 - Vaadin 24.0.0 - 24.9.8: Upgrade to 24.9.9 - Vaadin 25.0.0 - 25.0.2: Upgrade to 25.0.3 or newer. For versions 10-13 and 15-22, which are no longer supported, users should update to the latest version of 14, 23, 24, or 25.