Vaadin Authentication Bypass Vulnerability in Spring Security Applications

A vulnerability allowing authentication bypass exists in Vaadin applications using Spring Security, specifically in versions 14.0.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.7, and 25.0.0 through 25.0.1. The issue arises from inconsistent path pattern matching of reserved framework paths. Accessing the '/VAADIN' endpoint without a trailing slash can bypass security filters, enabling unauthenticated users to initiate framework processes and create sessions without proper authorization.

Impact

Exploitation of this vulnerability allows unauthorized users to access framework initialization processes and create sessions, bypassing authentication requirements.

Remediation

Users of affected Vaadin versions should upgrade to the following fixed versions: 14.0.0-14.14.0 to 14.14.1, 23.0.0-23.6.6 to 23.6.7, 24.0.0-24.9.7 to 24.9.8 or newer, and 25.0.0-25.0.1 to 25.0.2 or newer. Vaadin versions 10-13 and 15-22 are no longer supported and users should update to the latest version of 14, 23, or 24.