CVE-2025-9467
Description
When the Vaadin Upload's start listener is used to validate metadata about an incoming upload, it is possible to bypass the upload validation.
Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:
Product version Vaadin 7.0.0 - 7.7.47 Vaadin 8.0.0 - 8.28.1 Vaadin 14.0.0 - 14.13.0 Vaadin 23.0.0 - 23.6.1 Vaadin 24.0.0 - 24.7.6
Mitigation Upgrade to 7.7.48 Upgrade to 8.28.2 Upgrade to 14.13.1 Upgrade to 23.6.2 Upgrade to 24.7.7 or newer
Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24 version.
Artifacts Maven coordinatesVulnerable versionsFixed versioncom.vaadin:vaadin-server 7.0.0 - 7.7.47 ≥7.7.48 com.vaadin:vaadin-server 8.0.0 - 8.28.1 ≥8.28.2 com.vaadin:vaadin 14.0.0 - 14.13.0 ≥14.13.1 com.vaadin:vaadin23.0.0 - 23.6.1 ≥23.6.2 com.vaadin:vaadin24.0.0 - 24.7.6 ≥24.7.7com.vaadin:vaadin-upload-flow 2.0.0 - 14.13.0 ≥14.13.1 com.vaadin:vaadin-upload-flow 23.0.0 - 23.6.1 ≥23.6.2 com.vaadin:vaadin-upload-flow 24.0.0 - 24.7.6 ≥24.7.7
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.vaadin:vaadin-serverMaven | >= 7.0.0, < 7.7.48 | 7.7.48 |
com.vaadin:vaadin-serverMaven | >= 8.0.0, < 8.28.2 | 8.28.2 |
Affected products
2Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-9gfh-4fwj-w3rjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-9467ghsaADVISORY
- github.com/vaadin/flow-components/commit/bfe9e507cdcc5d90a2312c8f0162f798a29ba635ghsaWEB
- github.com/vaadin/flow-components/pull/7616ghsaWEB
- github.com/vaadin/framework/security/advisories/GHSA-9gfh-4fwj-w3rjghsaWEB
- vaadin.com/security/cve-2025-9467nvdWEB
News mentions
0No linked articles in our index yet.