Search criteria
2 vulnerabilities found for vaadin-upload-flow by vaadin
CVE-2025-9467 (GCVE-0-2025-9467)
Vulnerability from cvelistv5 – Published: 2025-09-04 06:15 – Updated: 2025-09-04 13:41
VLAI?
Summary
When the Vaadin Upload's start listener is used to validate metadata about an incoming upload, it is possible to bypass the upload validation.
Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:
Product version
Vaadin 7.0.0 - 7.7.47
Vaadin 8.0.0 - 8.28.1
Vaadin 14.0.0 - 14.13.0
Vaadin 23.0.0 - 23.6.1
Vaadin 24.0.0 - 24.7.6
Mitigation
Upgrade to 7.7.48
Upgrade to 8.28.2
Upgrade to 14.13.1
Upgrade to 23.6.2
Upgrade to 24.7.7 or newer
Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24 version.
Artifacts Maven coordinatesVulnerable versionsFixed versioncom.vaadin:vaadin-server
7.0.0 - 7.7.47
≥7.7.48
com.vaadin:vaadin-server
8.0.0 - 8.28.1
≥8.28.2
com.vaadin:vaadin
14.0.0 - 14.13.0
≥14.13.1
com.vaadin:vaadin23.0.0 - 23.6.1
≥23.6.2
com.vaadin:vaadin24.0.0 - 24.7.6
≥24.7.7com.vaadin:vaadin-upload-flow
2.0.0 - 14.13.0
≥14.13.1
com.vaadin:vaadin-upload-flow
23.0.0 - 23.6.1
≥23.6.2
com.vaadin:vaadin-upload-flow
24.0.0 - 24.7.6
≥24.7.7
Severity ?
CWE
- CWE-20 - Improper Input Validation
Assigner
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| vaadin | vaadin |
Affected:
14.0.0 , ≤ 14.13.0
(maven)
Affected: 23.0.0 , ≤ 23.6.1 (maven) Affected: 24.0.0 , ≤ 24.7.6 (maven) |
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9467",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-04T13:28:46.739599Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-04T13:41:24.243Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "com.vaadin:vaadin",
"product": "vaadin",
"repo": "https://github.com/vaadin/platform",
"vendor": "vaadin",
"versions": [
{
"lessThanOrEqual": "14.13.0",
"status": "affected",
"version": "14.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "23.6.1",
"status": "affected",
"version": "23.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "24.7.6",
"status": "affected",
"version": "24.0.0",
"versionType": "maven"
}
]
},
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "com.vaadin:vaadin-server",
"product": "framework",
"repo": "https://github.com/vaadin/framework",
"vendor": "vaadin",
"versions": [
{
"lessThanOrEqual": "7.7.47",
"status": "affected",
"version": "7.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "8.28.1",
"status": "affected",
"version": "8.0.0",
"versionType": "maven"
}
]
},
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "com.vaadin:vaadin-upload-flow",
"product": "vaadin-upload-flow",
"repo": "https://github.com/vaadin/flow-components",
"vendor": "vaadin",
"versions": [
{
"lessThanOrEqual": "14.13.0",
"status": "affected",
"version": "14.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "23.6.1",
"status": "affected",
"version": "23.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "24.7.6",
"status": "affected",
"version": "24.0.0",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eWhen the Vaadin Upload\u0027s start listener is used to validate metadata about an incoming upload, it is possible to bypass the upload validation. \u003cbr\u003e\u003cbr\u003e\u003cbr\u003eUsers of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:\u003cbr\u003e\u003cbr\u003eProduct version\u003cbr\u003eVaadin 7.0.0 - 7.7.47\u003cbr\u003eVaadin 8.0.0 - 8.28.1\u003cbr\u003eVaadin 14.0.0 - 14.13.0\u003cbr\u003eVaadin 23.0.0 - 23.6.1\u003cbr\u003eVaadin 24.0.0 - 24.7.6\u003cbr\u003e\u003cbr\u003eMitigation\u003cbr\u003eUpgrade to 7.7.48\u003cbr\u003eUpgrade to 8.28.2\u003cbr\u003eUpgrade to 14.13.1\u003cbr\u003eUpgrade to 23.6.2\u003cbr\u003eUpgrade to 24.7.7 or newer\u003cbr\u003e\u003cbr\u003ePlease note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24 version.\u003cbr\u003e\u003cbr\u003eArtifacts\u0026nbsp; \u0026nbsp; \u0026nbsp;\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eMaven coordinates\u003c/td\u003e\u003ctd\u003eVulnerable versions\u003c/td\u003e\u003ctd\u003eFixed version\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:vaadin-server\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e7.0.0 - 7.7.47\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u22657.7.48\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:vaadin-server\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e8.0.0 - 8.28.1\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u22658.28.2\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:vaadin\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e14.0.0 - 14.13.0\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u226514.13.1\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:vaadin\u003c/td\u003e\u003ctd\u003e23.0.0 - 23.6.1\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u226523.6.2\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:vaadin\u003c/td\u003e\u003ctd\u003e24.0.0 - 24.7.6\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u226524.7.7\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:vaadin-upload-flow\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e2.0.0 - 14.13.0\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u226514.13.1\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:vaadin-upload-flow\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e23.0.0 - 23.6.1\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u226523.6.2\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:vaadin-upload-flow\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e24.0.0 - 24.7.6\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u226524.7.7\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cbr\u003e\u003c/span\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "When the Vaadin Upload\u0027s start listener is used to validate metadata about an incoming upload, it is possible to bypass the upload validation. \n\n\nUsers of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:\n\nProduct version\nVaadin 7.0.0 - 7.7.47\nVaadin 8.0.0 - 8.28.1\nVaadin 14.0.0 - 14.13.0\nVaadin 23.0.0 - 23.6.1\nVaadin 24.0.0 - 24.7.6\n\nMitigation\nUpgrade to 7.7.48\nUpgrade to 8.28.2\nUpgrade to 14.13.1\nUpgrade to 23.6.2\nUpgrade to 24.7.7 or newer\n\nPlease note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24 version.\n\nArtifacts\u00a0 \u00a0 \u00a0Maven coordinatesVulnerable versionsFixed versioncom.vaadin:vaadin-server\n7.0.0 - 7.7.47\n\u22657.7.48\ncom.vaadin:vaadin-server\n8.0.0 - 8.28.1\n\u22658.28.2\ncom.vaadin:vaadin\n14.0.0 - 14.13.0\n\u226514.13.1\ncom.vaadin:vaadin23.0.0 - 23.6.1\n\u226523.6.2\ncom.vaadin:vaadin24.0.0 - 24.7.6\n\u226524.7.7com.vaadin:vaadin-upload-flow\n2.0.0 - 14.13.0\n\u226514.13.1\ncom.vaadin:vaadin-upload-flow\n23.0.0 - 23.6.1\n\u226523.6.2\ncom.vaadin:vaadin-upload-flow\n24.0.0 - 24.7.6\n\u226524.7.7"
}
],
"impacts": [
{
"capecId": "CAPEC-554",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-554 Functionality Bypass"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "USER",
"Safety": "NEGLIGIBLE",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/S:N/AU:N/R:U/V:D/RE:L/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-04T11:58:03.368Z",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"url": "https://vaadin.com/security/cve-2025-9467"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cb\u003e\u003cspan style=\"background-color: transparent;\"\u003eUsers of affected versions should apply the following mitigation or upgrade.\u003c/span\u003e\u003c/b\u003e\u003cbr\u003e"
}
],
"value": "Users of affected versions should apply the following mitigation or upgrade."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Possibility to bypass file upload validation on the server-side",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cb\u003e\u003cspan style=\"background-color: transparent;\"\u003eThis issue can also be worked around without updating the version by validating the upload metadata again in the Upload\u0027s finished listener.\u003c/span\u003e\u003c/b\u003e\u003cbr\u003e"
}
],
"value": "This issue can also be worked around without updating the version by validating the upload metadata again in the Upload\u0027s finished listener."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2025-9467",
"datePublished": "2025-09-04T06:15:47.336Z",
"dateReserved": "2025-08-25T14:57:19.966Z",
"dateUpdated": "2025-09-04T13:41:24.243Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-9467 (GCVE-0-2025-9467)
Vulnerability from nvd – Published: 2025-09-04 06:15 – Updated: 2025-09-04 13:41
VLAI?
Summary
When the Vaadin Upload's start listener is used to validate metadata about an incoming upload, it is possible to bypass the upload validation.
Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:
Product version
Vaadin 7.0.0 - 7.7.47
Vaadin 8.0.0 - 8.28.1
Vaadin 14.0.0 - 14.13.0
Vaadin 23.0.0 - 23.6.1
Vaadin 24.0.0 - 24.7.6
Mitigation
Upgrade to 7.7.48
Upgrade to 8.28.2
Upgrade to 14.13.1
Upgrade to 23.6.2
Upgrade to 24.7.7 or newer
Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24 version.
Artifacts Maven coordinatesVulnerable versionsFixed versioncom.vaadin:vaadin-server
7.0.0 - 7.7.47
≥7.7.48
com.vaadin:vaadin-server
8.0.0 - 8.28.1
≥8.28.2
com.vaadin:vaadin
14.0.0 - 14.13.0
≥14.13.1
com.vaadin:vaadin23.0.0 - 23.6.1
≥23.6.2
com.vaadin:vaadin24.0.0 - 24.7.6
≥24.7.7com.vaadin:vaadin-upload-flow
2.0.0 - 14.13.0
≥14.13.1
com.vaadin:vaadin-upload-flow
23.0.0 - 23.6.1
≥23.6.2
com.vaadin:vaadin-upload-flow
24.0.0 - 24.7.6
≥24.7.7
Severity ?
CWE
- CWE-20 - Improper Input Validation
Assigner
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| vaadin | vaadin |
Affected:
14.0.0 , ≤ 14.13.0
(maven)
Affected: 23.0.0 , ≤ 23.6.1 (maven) Affected: 24.0.0 , ≤ 24.7.6 (maven) |
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9467",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-04T13:28:46.739599Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-04T13:41:24.243Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "com.vaadin:vaadin",
"product": "vaadin",
"repo": "https://github.com/vaadin/platform",
"vendor": "vaadin",
"versions": [
{
"lessThanOrEqual": "14.13.0",
"status": "affected",
"version": "14.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "23.6.1",
"status": "affected",
"version": "23.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "24.7.6",
"status": "affected",
"version": "24.0.0",
"versionType": "maven"
}
]
},
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "com.vaadin:vaadin-server",
"product": "framework",
"repo": "https://github.com/vaadin/framework",
"vendor": "vaadin",
"versions": [
{
"lessThanOrEqual": "7.7.47",
"status": "affected",
"version": "7.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "8.28.1",
"status": "affected",
"version": "8.0.0",
"versionType": "maven"
}
]
},
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "com.vaadin:vaadin-upload-flow",
"product": "vaadin-upload-flow",
"repo": "https://github.com/vaadin/flow-components",
"vendor": "vaadin",
"versions": [
{
"lessThanOrEqual": "14.13.0",
"status": "affected",
"version": "14.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "23.6.1",
"status": "affected",
"version": "23.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "24.7.6",
"status": "affected",
"version": "24.0.0",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eWhen the Vaadin Upload\u0027s start listener is used to validate metadata about an incoming upload, it is possible to bypass the upload validation. \u003cbr\u003e\u003cbr\u003e\u003cbr\u003eUsers of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:\u003cbr\u003e\u003cbr\u003eProduct version\u003cbr\u003eVaadin 7.0.0 - 7.7.47\u003cbr\u003eVaadin 8.0.0 - 8.28.1\u003cbr\u003eVaadin 14.0.0 - 14.13.0\u003cbr\u003eVaadin 23.0.0 - 23.6.1\u003cbr\u003eVaadin 24.0.0 - 24.7.6\u003cbr\u003e\u003cbr\u003eMitigation\u003cbr\u003eUpgrade to 7.7.48\u003cbr\u003eUpgrade to 8.28.2\u003cbr\u003eUpgrade to 14.13.1\u003cbr\u003eUpgrade to 23.6.2\u003cbr\u003eUpgrade to 24.7.7 or newer\u003cbr\u003e\u003cbr\u003ePlease note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24 version.\u003cbr\u003e\u003cbr\u003eArtifacts\u0026nbsp; \u0026nbsp; \u0026nbsp;\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eMaven coordinates\u003c/td\u003e\u003ctd\u003eVulnerable versions\u003c/td\u003e\u003ctd\u003eFixed version\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:vaadin-server\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e7.0.0 - 7.7.47\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u22657.7.48\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:vaadin-server\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e8.0.0 - 8.28.1\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u22658.28.2\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:vaadin\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e14.0.0 - 14.13.0\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u226514.13.1\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:vaadin\u003c/td\u003e\u003ctd\u003e23.0.0 - 23.6.1\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u226523.6.2\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:vaadin\u003c/td\u003e\u003ctd\u003e24.0.0 - 24.7.6\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u226524.7.7\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:vaadin-upload-flow\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e2.0.0 - 14.13.0\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u226514.13.1\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:vaadin-upload-flow\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e23.0.0 - 23.6.1\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u226523.6.2\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:vaadin-upload-flow\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e24.0.0 - 24.7.6\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u226524.7.7\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cbr\u003e\u003c/span\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "When the Vaadin Upload\u0027s start listener is used to validate metadata about an incoming upload, it is possible to bypass the upload validation. \n\n\nUsers of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:\n\nProduct version\nVaadin 7.0.0 - 7.7.47\nVaadin 8.0.0 - 8.28.1\nVaadin 14.0.0 - 14.13.0\nVaadin 23.0.0 - 23.6.1\nVaadin 24.0.0 - 24.7.6\n\nMitigation\nUpgrade to 7.7.48\nUpgrade to 8.28.2\nUpgrade to 14.13.1\nUpgrade to 23.6.2\nUpgrade to 24.7.7 or newer\n\nPlease note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24 version.\n\nArtifacts\u00a0 \u00a0 \u00a0Maven coordinatesVulnerable versionsFixed versioncom.vaadin:vaadin-server\n7.0.0 - 7.7.47\n\u22657.7.48\ncom.vaadin:vaadin-server\n8.0.0 - 8.28.1\n\u22658.28.2\ncom.vaadin:vaadin\n14.0.0 - 14.13.0\n\u226514.13.1\ncom.vaadin:vaadin23.0.0 - 23.6.1\n\u226523.6.2\ncom.vaadin:vaadin24.0.0 - 24.7.6\n\u226524.7.7com.vaadin:vaadin-upload-flow\n2.0.0 - 14.13.0\n\u226514.13.1\ncom.vaadin:vaadin-upload-flow\n23.0.0 - 23.6.1\n\u226523.6.2\ncom.vaadin:vaadin-upload-flow\n24.0.0 - 24.7.6\n\u226524.7.7"
}
],
"impacts": [
{
"capecId": "CAPEC-554",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-554 Functionality Bypass"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "USER",
"Safety": "NEGLIGIBLE",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/S:N/AU:N/R:U/V:D/RE:L/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-04T11:58:03.368Z",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"url": "https://vaadin.com/security/cve-2025-9467"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cb\u003e\u003cspan style=\"background-color: transparent;\"\u003eUsers of affected versions should apply the following mitigation or upgrade.\u003c/span\u003e\u003c/b\u003e\u003cbr\u003e"
}
],
"value": "Users of affected versions should apply the following mitigation or upgrade."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Possibility to bypass file upload validation on the server-side",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cb\u003e\u003cspan style=\"background-color: transparent;\"\u003eThis issue can also be worked around without updating the version by validating the upload metadata again in the Upload\u0027s finished listener.\u003c/span\u003e\u003c/b\u003e\u003cbr\u003e"
}
],
"value": "This issue can also be worked around without updating the version by validating the upload metadata again in the Upload\u0027s finished listener."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2025-9467",
"datePublished": "2025-09-04T06:15:47.336Z",
"dateReserved": "2025-08-25T14:57:19.966Z",
"dateUpdated": "2025-09-04T13:41:24.243Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}