When the Vaadin Upload's start listener is used to validate metadata about an incoming upload, it is possible to bypass the upload validation.


Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:

Product version
Vaadin 7.0.0 - 7.7.47
Vaadin 8.0.0 - 8.28.1
Vaadin 14.0.0 - 14.13.0
Vaadin 23.0.0 - 23.6.1
Vaadin 24.0.0 - 24.7.6

Mitigation
Upgrade to 7.7.48
Upgrade to 8.28.2
Upgrade to 14.13.1
Upgrade to 23.6.2
Upgrade to 24.7.7 or newer

Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24 version.

Artifacts     Maven coordinatesVulnerable versionsFixed versioncom.vaadin:vaadin-server
7.0.0 - 7.7.47
≥7.7.48
com.vaadin:vaadin-server
8.0.0 - 8.28.1
≥8.28.2
com.vaadin:vaadin
14.0.0 - 14.13.0
≥14.13.1
com.vaadin:vaadin23.0.0 - 23.6.1
≥23.6.2
com.vaadin:vaadin24.0.0 - 24.7.6
≥24.7.7com.vaadin:vaadin-upload-flow
2.0.0 - 14.13.0
≥14.13.1
com.vaadin:vaadin-upload-flow
23.0.0 - 23.6.1
≥23.6.2
com.vaadin:vaadin-upload-flow
24.0.0 - 24.7.6
≥24.7.7
References
History

Thu, 04 Sep 2025 06:30:00 +0000

Type Values Removed Values Added
Description When the Vaadin Upload's start listener is used to validate metadata about an incoming upload, it is possible to bypass the upload validation. Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include: Product version Vaadin 7.0.0 - 7.7.47 Vaadin 8.0.0 - 8.28.1 Vaadin 14.0.0 - 14.13.0 Vaadin 23.0.0 - 23.6.1 Vaadin 24.0.0 - 24.7.6 Mitigation Upgrade to 7.7.48 Upgrade to 8.28.2 Upgrade to 14.13.1 Upgrade to 23.6.2 Upgrade to 24.7.7 or newer Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24 version. Artifacts     Maven coordinatesVulnerable versionsFixed versioncom.vaadin:vaadin-server 7.0.0 - 7.7.47 ≥7.7.48 com.vaadin:vaadin-server 8.0.0 - 8.28.1 ≥8.28.2 com.vaadin:vaadin 14.0.0 - 14.13.0 ≥14.13.1 com.vaadin:vaadin23.0.0 - 23.6.1 ≥23.6.2 com.vaadin:vaadin24.0.0 - 24.7.6 ≥24.7.7com.vaadin:vaadin-upload-flow 2.0.0 - 14.13.0 ≥14.13.1 com.vaadin:vaadin-upload-flow 23.0.0 - 23.6.1 ≥23.6.2 com.vaadin:vaadin-upload-flow 24.0.0 - 24.7.6 ≥24.7.7
Title Possibility to bypass file upload validation on the server-side
Weaknesses CWE-20
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/S:N/AU:N/R:U/V:D/RE:L/U:Green'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Vaadin

Published:

Updated: 2025-09-04T06:15:47.336Z

Reserved: 2025-08-25T14:57:19.966Z

Link: CVE-2025-9467

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.