CVE-2025-9467
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-04

Last updated on: 2025-09-04

Assigner: Vaadin Ltd.

Description
When the Vaadin Upload's start listener is used to validate metadata about an incoming upload, it is possible to bypass the upload validation. Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include: Product version Vaadin 7.0.0 - 7.7.47 Vaadin 8.0.0 - 8.28.1 Vaadin 14.0.0 - 14.13.0 Vaadin 23.0.0 - 23.6.1 Vaadin 24.0.0 - 24.7.6 Mitigation Upgrade to 7.7.48 Upgrade to 8.28.2 Upgrade to 14.13.1 Upgrade to 23.6.2 Upgrade to 24.7.7 or newer Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24 version. ArtifactsΒ  Β  Β Maven coordinatesVulnerable versionsFixed versioncom.vaadin:vaadin-server 7.0.0 - 7.7.47 β‰₯7.7.48 com.vaadin:vaadin-server 8.0.0 - 8.28.1 β‰₯8.28.2 com.vaadin:vaadin 14.0.0 - 14.13.0 β‰₯14.13.1 com.vaadin:vaadin23.0.0 - 23.6.1 β‰₯23.6.2 com.vaadin:vaadin24.0.0 - 24.7.6 β‰₯24.7.7com.vaadin:vaadin-upload-flow 2.0.0 - 14.13.0 β‰₯14.13.1 com.vaadin:vaadin-upload-flow 23.0.0 - 23.6.1 β‰₯23.6.2 com.vaadin:vaadin-upload-flow 24.0.0 - 24.7.6 β‰₯24.7.7
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-04
Last Modified
2025-09-04
Generated
2026-05-27
AI Q&A
2025-09-04
EPSS Evaluated
2026-05-25
NVD
CVE-2025-9467
EUVD
EUVD-2025-26701
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
vaadin vaadin 23.0.0
vaadin vaadin-server 8.0.0
vaadin vaadin-server 7.0.0
vaadin vaadin-upload-flow 24.0.0
vaadin vaadin 14.0.0
vaadin vaadin-upload-flow 2.0.0
vaadin vaadin 24.0.0
vaadin vaadin-upload-flow 23.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in Vaadin Upload components allows attackers to bypass server-side file upload validation when the start listener is used to validate metadata of incoming uploads. Essentially, improper input validation (CWE-20) enables attackers to circumvent the intended upload restrictions, potentially allowing unauthorized or malicious files to be uploaded. [1]


How can this vulnerability impact me? :

The vulnerability can impact you by allowing attackers to bypass upload validation controls, which may lead to unauthorized or malicious files being uploaded to your system. This could result in security risks such as data corruption, unauthorized access, or further exploitation depending on what files are uploaded and how they are processed. [1]


What immediate steps should I take to mitigate this vulnerability?

The immediate step to mitigate this vulnerability is to upgrade your Vaadin components to the fixed versions. Specifically, upgrade to at least Vaadin 7.7.48, 8.28.2, 14.13.1, 23.6.2, or 24.7.7 depending on your current version. For Vaadin Upload Flow artifacts, upgrade to at least 14.13.1, 23.6.2, or 24.7.7. Additionally, if you are using unsupported Vaadin versions 10-13 or 15-22, migrate to the latest supported versions 14, 23, or 24. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart