0xMarcio
2.0 KiB
CVE-2025-9467
Description
When the Vaadin Upload's start listener is used to validate metadata about an incoming upload, it is possible to bypass the upload validation. Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:Product versionVaadin 7.0.0 - 7.7.47Vaadin 8.0.0 - 8.28.1Vaadin 14.0.0 - 14.13.0Vaadin 23.0.0 - 23.6.1Vaadin 24.0.0 - 24.7.6MitigationUpgrade to 7.7.48Upgrade to 8.28.2Upgrade to 14.13.1Upgrade to 23.6.2Upgrade to 24.7.7 or newerPlease note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24 version.Artifacts Maven coordinatesVulnerable versionsFixed versioncom.vaadin:vaadin-server7.0.0 - 7.7.47≥7.7.48com.vaadin:vaadin-server8.0.0 - 8.28.1≥8.28.2com.vaadin:vaadin14.0.0 - 14.13.0≥14.13.1com.vaadin:vaadin23.0.0 - 23.6.1≥23.6.2com.vaadin:vaadin24.0.0 - 24.7.6≥24.7.7com.vaadin:vaadin-upload-flow2.0.0 - 14.13.0≥14.13.1com.vaadin:vaadin-upload-flow23.0.0 - 23.6.1≥23.6.2com.vaadin:vaadin-upload-flow24.0.0 - 24.7.6≥24.7.7
POC
Reference
No PoCs from references.