Описание
Vaadin Flow Components possible file bypass via upload validation on the server-side
Description
When the Vaadin Upload's start listener is used to validate metadata about an incoming upload, it is possible to bypass the upload validation. Users of affected versions should apply the upgrade to a more recent Vaadin version.
Ссылки
- https://github.com/vaadin/flow-components/security/advisories/GHSA-94g8-xv23-7656
- https://nvd.nist.gov/vuln/detail/CVE-2025-9467
- https://github.com/vaadin/flow-components/pull/7616
- https://github.com/vaadin/flow-components/commit/bfe9e507cdcc5d90a2312c8f0162f798a29ba635
- https://vaadin.com/security/cve-2025-9467
Пакеты
Наименование
com.vaadin:vaadin-upload-flow
maven
Затронутые версииВерсия исправления
>= 2.0.0, <= 14.13.0
14.13.1
Наименование
com.vaadin:vaadin-upload-flow
maven
Затронутые версииВерсия исправления
>= 23.0.0, <= 23.6.1
23.6.2
Наименование
com.vaadin:vaadin-upload-flow
maven
Затронутые версииВерсия исправления
>= 24.0.0, <= 24.7.6
24.7.7
5.3 Medium
CVSS4
Дефекты
CWE-20
CWE-434
5.3 Medium
CVSS4
Дефекты
CWE-20
CWE-434