CVE-2025-9467
Gravedad CVSS v4.0:
MEDIA
Tipo:
CWE-20
Validación incorrecta de entrada
Fecha de publicación:
04/09/2025
Última modificación:
04/09/2025
Descripción
*** Pendiente de traducción *** When the Vaadin Upload&#39;s start listener is used to validate metadata about an incoming upload, it is possible to bypass the upload validation. <br />
<br />
<br />
Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:<br />
<br />
Product version<br />
Vaadin 7.0.0 - 7.7.47<br />
Vaadin 8.0.0 - 8.28.1<br />
Vaadin 14.0.0 - 14.13.0<br />
Vaadin 23.0.0 - 23.6.1<br />
Vaadin 24.0.0 - 24.7.6<br />
<br />
Mitigation<br />
Upgrade to 7.7.48<br />
Upgrade to 8.28.2<br />
Upgrade to 14.13.1<br />
Upgrade to 23.6.2<br />
Upgrade to 24.7.7 or newer<br />
<br />
Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24 version.<br />
<br />
Artifacts Maven coordinatesVulnerable versionsFixed versioncom.vaadin:vaadin-server<br />
7.0.0 - 7.7.47<br />
≥7.7.48<br />
com.vaadin:vaadin-server<br />
8.0.0 - 8.28.1<br />
≥8.28.2<br />
com.vaadin:vaadin<br />
14.0.0 - 14.13.0<br />
≥14.13.1<br />
com.vaadin:vaadin23.0.0 - 23.6.1<br />
≥23.6.2<br />
com.vaadin:vaadin24.0.0 - 24.7.6<br />
≥24.7.7com.vaadin:vaadin-upload-flow<br />
2.0.0 - 14.13.0<br />
≥14.13.1<br />
com.vaadin:vaadin-upload-flow<br />
23.0.0 - 23.6.1<br />
≥23.6.2<br />
com.vaadin:vaadin-upload-flow<br />
24.0.0 - 24.7.6<br />
≥24.7.7