CVE-2025-9467

Source
https://cve.org/CVERecord?id=CVE-2025-9467
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-9467.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-9467
Aliases
Published
2025-09-04T06:15:47.336Z
Modified
2026-07-08T08:12:40.153343373Z
Severity
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/S:N/AU:N/R:U/V:D/RE:L/U:Green CVSS Calculator
Summary
Possibility to bypass file upload validation on the server-side
Details

When the Vaadin Upload's start listener is used to validate metadata about an incoming upload, it is possible to bypass the upload validation.

Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:

Product version Vaadin 7.0.0 - 7.7.47 Vaadin 8.0.0 - 8.28.1 Vaadin 14.0.0 - 14.13.0 Vaadin 23.0.0 - 23.6.1 Vaadin 24.0.0 - 24.7.6

Mitigation Upgrade to 7.7.48 Upgrade to 8.28.2 Upgrade to 14.13.1 Upgrade to 23.6.2 Upgrade to 24.7.7 or newer

Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24 version.

Artifacts     Maven coordinatesVulnerable versionsFixed versioncom.vaadin:vaadin-server 7.0.0 - 7.7.47 ≥7.7.48 com.vaadin:vaadin-server 8.0.0 - 8.28.1 ≥8.28.2 com.vaadin:vaadin 14.0.0 - 14.13.0 ≥14.13.1 com.vaadin:vaadin23.0.0 - 23.6.1 ≥23.6.2 com.vaadin:vaadin24.0.0 - 24.7.6 ≥24.7.7com.vaadin:vaadin-upload-flow 2.0.0 - 14.13.0 ≥14.13.1 com.vaadin:vaadin-upload-flow 23.0.0 - 23.6.1 ≥23.6.2 com.vaadin:vaadin-upload-flow 24.0.0 - 24.7.6 ≥24.7.7

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/9xxx/CVE-2025-9467.json",
    "cna_assigner": "Vaadin",
    "cwe_ids": [
        "CWE-20"
    ]
}
References

Affected packages

Git / github.com/vaadin/flow-components

Affected ranges

Type
GIT
Repo
https://github.com/vaadin/flow-components
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Introduced
Last affected
Introduced
Last affected
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "14.0.0"
        },
        {
            "last_affected": "14.13.0"
        },
        {
            "introduced": "23.0.0"
        },
        {
            "last_affected": "23.6.1"
        },
        {
            "introduced": "24.0.0"
        },
        {
            "last_affected": "24.7.6"
        }
    ]
}

Affected versions

14.*
14.10.0
14.10.0.alpha1
14.10.0.alpha2
14.10.0.alpha3
14.10.0.beta1
14.10.1
14.10.2
14.11.0
14.11.0.alpha1
14.11.0.alpha2
14.11.1
14.11.10
14.11.11
14.11.2
14.11.3
14.11.4
14.11.5
14.11.6
14.11.7
14.11.8
14.11.9
14.12.0
14.12.0.alpha1
14.12.0.beta1
14.12.0.rc1
14.12.1
14.12.2
14.12.3
14.12.4
14.12.5
14.12.6
14.12.7
14.12.8
14.13.0
14.13.0.alpha1
14.4.0
14.5.0.alpha1
14.5.0.alpha2
14.5.0.alpha3
14.5.0.beta1
14.5.0.rc1
14.6.0.alpha1
14.6.0.alpha2
14.6.0.beta1
14.6.0.beta2
14.7.0.alpha1
14.7.0.alpha2
14.7.0.alpha3
14.7.0.beta1
14.7.0.rc1
14.8.0
14.8.0.alpha1
14.8.0.beta1
14.8.1
14.8.10
14.8.11
14.8.12
14.8.13
14.8.14
14.8.15
14.8.16
14.8.17
14.8.18
14.8.2
14.8.3
14.8.4
14.8.5
14.8.6
14.8.7
14.8.8
14.8.9
14.9.0
14.9.0.alpha1
14.9.0.beta1
14.9.0.rc1
14.9.1
14.9.2
14.9.3
14.9.4
14.9.5
14.9.6
23.*
23.0.0
23.1.0.alpha1
23.1.0.alpha2
23.1.0.alpha3
23.1.0.alpha4
23.1.0.beta1
23.2.0
23.2.0.alpha1
23.2.0.alpha2
23.2.0.alpha3
23.2.0.beta1
23.2.0.beta2
23.2.0.beta3
23.2.0.beta4
23.2.0.rc1
23.3.0
23.3.0.alpha1
23.3.0.alpha2
23.3.0.alpha3
23.3.0.beta1
23.3.0.beta2
23.3.0.rc1
23.3.1
23.3.10
23.3.11
23.3.12
23.3.13
23.3.14
23.3.15
23.3.16
23.3.17
23.3.18
23.3.19
23.3.2
23.3.20
23.3.21
23.3.22
23.3.23
23.3.24
23.3.25
23.3.26
23.3.3
23.3.4
23.3.5
23.3.6
23.3.7
23.3.8
23.3.9
23.4.0
23.4.0.alpha1
23.4.0.alpha2
23.4.0.beta1
23.5.0
23.5.0.alpha1
23.5.1
23.5.10
23.5.11
23.5.12
23.5.13
23.5.14
23.5.15
23.5.16
23.5.17
23.5.2
23.5.3
23.5.4
23.5.5
23.5.6
23.5.7
23.5.8
23.5.9
23.6.0
23.6.0.alpha1
23.6.1
23.6.2
24.*
24.0.0.alpha1
24.0.0.alpha10
24.0.0.alpha2
24.0.0.alpha3
24.0.0.alpha4
24.0.0.alpha5
24.0.0.alpha6
24.0.0.alpha7
24.0.0.alpha8
24.0.0.alpha9
24.0.0.beta1
24.1.0.alpha1
24.1.0.alpha2
24.1.0.alpha3
24.1.0.alpha4
24.1.0.alpha5
24.1.0.alpha6
24.1.0.beta1
24.2.0.alpha1
24.2.0.alpha10
24.2.0.alpha11
24.2.0.alpha2
24.2.0.alpha3
24.2.0.alpha4
24.2.0.alpha5
24.2.0.alpha6
24.2.0.alpha7
24.2.0.alpha8
24.2.0.alpha9
24.3.0
24.3.0.alpha1
24.3.0.alpha2
24.3.0.alpha3
24.3.0.alpha4
24.3.0.alpha5
24.3.0.alpha6
24.3.0.beta1
24.3.0.rc1
24.4.0.alpha1
24.4.0.alpha10
24.4.0.alpha11
24.4.0.alpha13
24.4.0.alpha14
24.4.0.alpha15
24.4.0.alpha16
24.4.0.alpha17
24.4.0.alpha18
24.4.0.alpha19
24.4.0.alpha2
24.4.0.alpha20
24.4.0.alpha21
24.4.0.alpha22
24.4.0.alpha23
24.4.0.alpha24
24.4.0.alpha25
24.4.0.alpha3
24.4.0.alpha4
24.4.0.alpha5
24.4.0.alpha6
24.4.0.alpha7
24.4.0.alpha8
24.4.0.alpha9
24.4.0.beta1
24.5.0.alpha1
24.5.0.alpha10
24.5.0.alpha11
24.5.0.alpha12
24.5.0.alpha13
24.5.0.alpha14
24.5.0.alpha15
24.5.0.alpha16
24.5.0.alpha17
24.5.0.alpha2
24.5.0.alpha3
24.5.0.alpha4
24.5.0.alpha5
24.5.0.alpha6
24.5.0.alpha7
24.5.0.alpha8
24.5.0.alpha9
24.5.0.beta1
24.5.0.beta2
24.5.0.beta3
24.5.0.beta4
24.5.0.beta5
24.5.0.beta6
24.5.0.rc1
24.6.0.alpha1
24.6.0.alpha2
24.6.0.alpha3
24.6.0.alpha4
24.6.0.beta1
24.6.0.beta2
24.6.0.beta3
24.7.0
24.7.0.alpha1
24.7.0.alpha10
24.7.0.alpha11
24.7.0.alpha12
24.7.0.alpha2
24.7.0.alpha3
24.7.0.alpha4
24.7.0.alpha5
24.7.0.alpha6
24.7.0.alpha7
24.7.0.alpha8
24.7.0.alpha9
24.7.0.beta1
24.7.0.beta2
24.7.0.rc1
24.7.0.rc2
24.7.1
24.7.2
24.7.3
24.7.4
24.7.5
24.7.6

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-9467.json"

Git / github.com/vaadin/framework

Affected ranges

Type
GIT
Repo
https://github.com/vaadin/framework
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "7.0.0"
        },
        {
            "last_affected": "7.7.47"
        },
        {
            "introduced": "8.0.0"
        },
        {
            "last_affected": "8.28.1"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-9467.json"