Possibility to bypass file upload validation on the server-side

5.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/S:N/AU:N/R:U/V:D/RE:L/U:Green

Description

When the Vaadin Upload's start listener is used to validate metadata about an incoming upload, it is possible to bypass the upload validation.

Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:

Product version
Vaadin 7.0.0 - 7.7.47
Vaadin 8.0.0 - 8.28.1
Vaadin 14.0.0 - 14.13.0
Vaadin 23.0.0 - 23.6.1
Vaadin 24.0.0 - 24.7.6

Mitigation
Upgrade to 7.7.48
Upgrade to 8.28.2
Upgrade to 14.13.1
Upgrade to 23.6.2
Upgrade to 24.7.7 or newer

Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24 version.

Artifacts Maven coordinatesVulnerable versionsFixed versioncom.vaadin:vaadin-server
7.0.0 - 7.7.47
≥7.7.48
com.vaadin:vaadin-server
8.0.0 - 8.28.1
≥8.28.2
com.vaadin:vaadin
14.0.0 - 14.13.0
≥14.13.1
com.vaadin:vaadin23.0.0 - 23.6.1
≥23.6.2
com.vaadin:vaadin24.0.0 - 24.7.6
≥24.7.7com.vaadin:vaadin-upload-flow
2.0.0 - 14.13.0
≥14.13.1
com.vaadin:vaadin-upload-flow
23.0.0 - 23.6.1
≥23.6.2
com.vaadin:vaadin-upload-flow
24.0.0 - 24.7.6
≥24.7.7

Basic Information

ID CVE-2025-9467

Source Vaadin

Published Sep 4, 2025 at 06:15

Affected Product

Vendor vaadin

Product vaadin

Version 14.0.0

Affected Versions vaadin vaadin 14.0.0
vaadin vaadin 23.0.0
vaadin vaadin 24.0.0
vaadin framework 7.0.0
vaadin framework 8.0.0
vaadin vaadin-upload-flow 14.0.0
vaadin vaadin-upload-flow 23.0.0
vaadin vaadin-upload-flow 24.0.0

CWE Classification

CWE-20

References

vaadin.com /security/cve-2025-0000

{
    "lastseen": "",
    "description": "When the Vaadin Upload's start listener is used to validate metadata about an incoming upload, it is possible to bypass the upload validation. \n\n\nUsers of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:\n\nProduct version\nVaadin 7.0.0 - 7.7.47\nVaadin 8.0.0 - 8.28.1\nVaadin 14.0.0 - 14.13.0\nVaadin 23.0.0 - 23.6.1\nVaadin 24.0.0 - 24.7.6\n\nMitigation\nUpgrade to 7.7.48\nUpgrade to 8.28.2\nUpgrade to 14.13.1\nUpgrade to 23.6.2\nUpgrade to 24.7.7 or newer\n\nPlease note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24 version.\n\nArtifacts\u00a0 \u00a0 \u00a0Maven coordinatesVulnerable versionsFixed versioncom.vaadin:vaadin-server\n7.0.0 - 7.7.47\n\u22657.7.48\ncom.vaadin:vaadin-server\n8.0.0 - 8.28.1\n\u22658.28.2\ncom.vaadin:vaadin\n14.0.0 - 14.13.0\n\u226514.13.1\ncom.vaadin:vaadin23.0.0 - 23.6.1\n\u226523.6.2\ncom.vaadin:vaadin24.0.0 - 24.7.6\n\u226524.7.7com.vaadin:vaadin-upload-flow\n2.0.0 - 14.13.0\n\u226514.13.1\ncom.vaadin:vaadin-upload-flow\n23.0.0 - 23.6.1\n\u226523.6.2\ncom.vaadin:vaadin-upload-flow\n24.0.0 - 24.7.6\n\u226524.7.7",
    "published": "2025-09-04T06:15:47.336Z",
    "modified": "2025-09-04T06:15:47.336Z",
    "type": "cve",
    "title": "Possibility to bypass file upload validation on the server-side",
    "source": "Vaadin",
    "references": "https://vaadin.com/security/cve-2025-0000",
    "id": "CVE-2025-9467",
    "bulletinFamily": "",
    "cwe": [
        "CWE-20"
    ],
    "cvelist": null,
    "sourceData": "vaadin vaadin 14.0.0\nvaadin vaadin 23.0.0\nvaadin vaadin 24.0.0\nvaadin framework 7.0.0\nvaadin framework 8.0.0\nvaadin vaadin-upload-flow 14.0.0\nvaadin vaadin-upload-flow 23.0.0\nvaadin vaadin-upload-flow 24.0.0",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/S:N/AU:N/R:U/V:D/RE:L/U:Green",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "vaadin",
    "version": "14.0.0",
    "vendor": "vaadin",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Possibility to bypass file upload validation on the server-side_CVE-2025-9467