CVE-2026-2741
Path Traversal in Vaadin Node.js Extraction Enables File Write Escape
Publication date: 2026-03-10
Last updated on: 2026-03-16
Assigner: Vaadin Ltd.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vaadin | vaadin | From 14.2.0 (inc) to 14.14.0 (inc) |
| vaadin | vaadin | From 23.0.0 (inc) to 23.6.6 (inc) |
| vaadin | vaadin | From 24.0.0 (inc) to 24.9.8 (inc) |
| vaadin | vaadin | From 25.0.0 (inc) to 25.0.2 (inc) |
| vaadin | flow | From 14.2.0 (inc) to 14.14.0 (inc) |
| vaadin | flow | From 23.0.0 (inc) to 23.6.6 (inc) |
| vaadin | flow | From 24.0.0 (inc) to 24.9.8 (inc) |
| vaadin | flow | From 25.0.0 (inc) to 25.0.2 (inc) |
| vaadin | flow | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-2741 is a Zip Slip path traversal vulnerability affecting Vaadin's automatic Node.js download and extraction process in certain versions. Specially crafted ZIP archives can escape the intended extraction directory during Node.js unpacking, allowing an attacker to write files outside the target directory."}, {'type': 'paragraph', 'content': 'This vulnerability occurs if an attacker can intercept or control the Node.js download process via DNS hijacking, man-in-the-middle attacks, compromised mirrors, or supply chain attacks, serving malicious archives containing path traversal sequences.'}, {'type': 'paragraph', 'content': 'The issue is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and affects Vaadin versions 14.2.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.8, and 25.0.0 through 25.0.2.'}] [5]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'If exploited, this vulnerability allows an attacker to write files outside the intended extraction directory during the Node.js download and extraction process in Vaadin. This could lead to unauthorized file creation or modification anywhere the application has write permissions.'}, {'type': 'paragraph', 'content': "Such unauthorized file writes could be used to execute malicious code, alter application behavior, or compromise the system's integrity, especially if the attacker controls the download source through DNS hijacking, man-in-the-middle attacks, or supply chain compromises."}] [5]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'To mitigate the CVE-2026-2741 vulnerability, users should upgrade affected Vaadin versions to the fixed releases as follows:'}, {'type': 'list_item', 'content': 'Upgrade Vaadin 14.2.0 through 14.14.0 to version 14.14.1 or later.'}, {'type': 'list_item', 'content': 'Upgrade Vaadin 23.0.0 through 23.6.6 to version 23.6.7 or later.'}, {'type': 'list_item', 'content': 'Upgrade Vaadin 24.0.0 through 24.9.8 to version 24.9.9 or later.'}, {'type': 'list_item', 'content': 'Upgrade Vaadin 25.0.0 through 25.0.2 to version 25.0.3 or later.'}, {'type': 'paragraph', 'content': "Alternatively, users can avoid Vaadin's automatic Node.js download and extraction by using a globally preinstalled Node.js version compatible with their Vaadin version."}, {'type': 'paragraph', 'content': 'Note that Vaadin versions 10-13 and 15-22 are no longer supported, so upgrading to the latest supported major versions (14, 23, 24, or 25) is recommended.'}] [5]