CVE-2026-2741 - Vulnerability Details

- Zip Slip Path Traversal on Node Unpack

Description

Specially crafted ZIP archives can escape the intended extraction directory during Node.js download and extraction in Vaadin 14.2.0 through 14.14.0, 15.0.0 through 23.6.6, 24.0.0 through 24.9.8, and 25.0.0 through 25.0.2.

Vaadin’s build process can automatically download and extract Node.js if it is not installed locally. If an attacker can intercept or control this download via DNS hijacking, a MITM attack, a compromised mirror, or a supply chain attack, they can serve a malicious archive containing path traversal sequences that write files outside the intended extraction directory.

Users of affected versions should use a globally preinstalled Node.js version compatible with their Vaadin version, or upgrade as follows: 14.2.0-14.14.0 to 14.14.1, 15.0.0-23.6.6 to 23.6.7, 24.0.0-24.9.8 to 24.9.9, and 25.0.0-25.0.2 to 25.0.3 or newer.

Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24, 25 version.

Published: 2026-03-10

Score: 2.3 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A specially crafted ZIP archive can escape the intended extraction directory when Vaadin automatically downloads and unpacks Node.js. If an attacker can supply the archive—for example, via DNS hijacking, a MITM attack, a compromised mirror, or a supply‑chain compromise—they can write files outside the expected directory, potentially overwriting build artifacts or inserting malicious code. This allows arbitrary file creation or modification inside the Vaadin project workspace, which could compromise confidentiality, integrity, or execution of the build.

Affected Systems

The vulnerability affects Vaadin Flow for versions 14.2.0 through 14.14.0, 15.0.0 through 23.6.6, 24.0.0 through 24.9.8, and 25.0.0 through 25.0.2. Vaadin versions 10‑13 and 15‑22 are no longer supported, and users should consider updating to the latest supported releases of 14, 23, 24, or 25.

Risk and Exploitability

The CVSS score of 2.3 indicates low severity, and the EPSS score of less than 1 % shows a very small probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires an attacker to control the Node.js archive download, which can happen through DNS hijacking, a MITM attack, a compromised mirror, or a supply‑chain compromise. When such an attack vector exists, the path‑traversal could enable writing arbitrary files during the build process, potentially leading to code injection or privilege escalation within the build environment.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

vaadin

unaffected

Version	Status	Constraints
`14.2.0`	affected	≤ 14.14.0
`15.0.0`	affected	≤ 23.6.6
`24.0.0`	affected	≤ 24.9.8
`25.0.0`	affected	≤ 25.0.2

vaadin

flow

unaffected

Version	Status	Constraints
`2.2.0`	affected	≤ 2.13.0
`3.0.0`	affected	≤ 23.6.7
`24.0.0`	affected	≤ 24.9.9

vaadin

flow

unaffected

Version	Status	Constraints
`25.0.0`	affected	≤ 25.0.3

Configuration 1 [-]

OR	cpe:2.3:a:vaadin:vaadin::::::::
	cpe:2.3:a:vaadin:vaadin::::::::
	cpe:2.3:a:vaadin:vaadin::::::::
	cpe:2.3:a:vaadin:vaadin::::::::

No data.

Vendor Product Confidence Versions

Vaadin

Flow

100%

Version	Status	Scheme	Platform
`[14.2.0,14.14.0]`	affected	semver	—
`[23.0.0,23.6.6]`	affected	semver	—
`[24.0.0,24.9.8]`	affected	semver	—

Vaadin

Flow

100%

Version	Status	Scheme	Platform
`[25.0.0,25.0.2]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

Users of affected versions should apply the following mitigation or upgrade.

Vendor Workaround

Use a globally preinstalled Node.js that is compatible with the Vaadin version instead of relying on Vaadin's automatic Node.js download.

OpenCVE Recommended Actions

Upgrade Vaadin Flow to a fixed release—upgrade from 14.2.0‑14.14.0 to 14.14.1, from 15.0.0‑23.6.6 to 23.6.7, from 24.0.0‑24.9.8 to 24.9.9, or from 25.0.0‑25.0.2 to 25.0.3 or newer.
If an upgrade is not immediately possible, install a globally preinstalled Node.js version that is compatible with your Vaadin Flow release and configure the build to use that local Node.js binary, thereby preventing Vaadin from auto‑downloading and extracting the ZIP archive.
Secure the network and package delivery channels by enforcing DNSSEC, validating TLS certificates, and ensuring that any mirrors or caches used to fetch Node.js archives are authenticated and originate from trusted sources.

Generated by OpenCVE AI on April 16, 2026 at 03:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-8jrh-7jg8-fvmv	Vaadin: Specially crafted ZIP archives can escape the intended extraction directory

Attack Vector Network

Attack Complexity High

Privileges Required Low

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00096.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/vaadin/flow/pull/23125
https://github.com/vaadin/flow/pull/23130
https://github.com/vaadin/flow/pull/23131
https://github.com/vaadin/flow/pull/23133
https://github.com/vaadin/flow/pull/23135
https://nvd.nist.gov/vuln/detail/CVE-2026-2741
https://vaadin.com/security/cve-2026-2741
https://www.cve.org/CVERecord?id=CVE-2026-2741

History

Thu, 07 May 2026 18:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Vaadin vaadin
CPEs		cpe:2.3:a:vaadin:vaadin::::::::
Vendors & Products		Vaadin vaadin
Metrics	cvssV3_1 `{'score': 2.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:N/A:L'}`	cvssV3_1 `{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N'}`

Mon, 16 Mar 2026 11:00:00 +0000

Type	Values Removed	Values Added
Description	Specially crafted ZIP archives can escape the intended extraction directory during Node.js download and extraction in Vaadin 14.2.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.8, and 25.0.0 through 25.0.2. Vaadin’s build process can automatically download and extract Node.js if it is not installed locally. If an attacker can intercept or control this download via DNS hijacking, a MITM attack, a compromised mirror, or a supply chain attack, they can serve a malicious archive containing path traversal sequences that write files outside the intended extraction directory. Users of affected versions should use a globally preinstalled Node.js version compatible with their Vaadin version, or upgrade as follows: 14.2.0-14.14.0 to 14.14.1, 23.0.0-23.6.6 to 23.6.7, 24.0.0-24.9.8 to 24.9.9, and 25.0.0-25.0.2 to 25.0.3 or newer. Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24, 25 version.	Specially crafted ZIP archives can escape the intended extraction directory during Node.js download and extraction in Vaadin 14.2.0 through 14.14.0, 15.0.0 through 23.6.6, 24.0.0 through 24.9.8, and 25.0.0 through 25.0.2. Vaadin’s build process can automatically download and extract Node.js if it is not installed locally. If an attacker can intercept or control this download via DNS hijacking, a MITM attack, a compromised mirror, or a supply chain attack, they can serve a malicious archive containing path traversal sequences that write files outside the intended extraction directory. Users of affected versions should use a globally preinstalled Node.js version compatible with their Vaadin version, or upgrade as follows: 14.2.0-14.14.0 to 14.14.1, 15.0.0-23.6.6 to 23.6.7, 24.0.0-24.9.8 to 24.9.9, and 25.0.0-25.0.2 to 25.0.3 or newer. Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24, 25 version.

Fri, 13 Mar 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-2741 https://www.cve.org/CVERecord?id=CVE-2026-2741
Metrics	threat_severity `None`	cvssV3_1 `{'score': 2.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:N/A:L'}` threat_severity `Low`

Wed, 11 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Vaadin Vaadin flow
Vendors & Products		Vaadin Vaadin flow

Tue, 10 Mar 2026 17:15:00 +0000

Type	Values Removed	Values Added
References		https://github.com/vaadin/flow/pull/23130 https://github.com/vaadin/flow/pull/23131 https://github.com/vaadin/flow/pull/23133 https://github.com/vaadin/flow/pull/23135

Tue, 10 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 10 Mar 2026 12:30:00 +0000

Type	Values Removed	Values Added
Description		Specially crafted ZIP archives can escape the intended extraction directory during Node.js download and extraction in Vaadin 14.2.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.8, and 25.0.0 through 25.0.2. Vaadin’s build process can automatically download and extract Node.js if it is not installed locally. If an attacker can intercept or control this download via DNS hijacking, a MITM attack, a compromised mirror, or a supply chain attack, they can serve a malicious archive containing path traversal sequences that write files outside the intended extraction directory. Users of affected versions should use a globally preinstalled Node.js version compatible with their Vaadin version, or upgrade as follows: 14.2.0-14.14.0 to 14.14.1, 23.0.0-23.6.6 to 23.6.7, 24.0.0-24.9.8 to 24.9.9, and 25.0.0-25.0.2 to 25.0.3 or newer. Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24, 25 version.
Title		Zip Slip Path Traversal on Node Unpack
Weaknesses		CWE-22
References		https://github.com/vaadin/flow/pull/23125 https://vaadin.com/security/cve-2026-2741
Metrics		cvssV4_0 `{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/S:N/AU:N/R:U/V:D/RE:L/U:Amber'}`

Subscriptions

Vaadin Flow Vaadin

MITRE

Status: PUBLISHED

Assigner: Vaadin

Published: 2026-03-10T12:08:30.515Z

Updated: 2026-03-16T10:52:34.173Z

Reserved: 2026-02-19T11:59:57.103Z

Link: CVE-2026-2741

Vulnrichment

Updated: 2026-03-10T13:45:38.416Z

NVD

Status : Analyzed

Published: 2026-03-10T18:18:48.953

Modified: 2026-05-07T18:44:38.163

Link: CVE-2026-2741

Redhat

Severity : Low

Publid Date: 2026-03-10T12:08:30Z

Links: CVE-2026-2741 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-16T04:00:09Z

Weaknesses

CWE-22

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required Low

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object