CVE-2025-9467
EPSS 0.13%Vaadin Framework possible file bypass via upload validation on the server-side
Published: 9/4/2025Modified: 9/4/2025
Description
### Description When the Vaadin Upload's start listener is used to validate metadata about an incoming upload, it is possible to bypass the upload validation. Users of affected versions should apply the upgrade to a more recent Vaadin version.
Affected packages (1)
- Maven/com.vaadin:vaadin-server>= 7.0.0, < 7.7.48
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/S:N/AU:N/R:U/V:D/RE:L/U:Green |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-9467
- PATCHhttps://github.com/vaadin/framework
- WEBhttps://github.com/vaadin/flow-components/commit/bfe9e507cdcc5d90a2312c8f0162f798a29ba635
- WEBhttps://github.com/vaadin/flow-components/pull/7616
- WEBhttps://github.com/vaadin/framework/security/advisories/GHSA-9gfh-4fwj-w3rj
- WEBhttps://vaadin.com/security/cve-2025-9467