Vaadin Flow Components possible file bypass via upload validation on the server-side

Description

When the Vaadin Upload's start listener is used to validate metadata about an incoming upload, it is possible to bypass the upload validation. Users of affected versions should apply the upgrade to a more recent Vaadin version.

Published: Sep 4, 2025
Updated: Sep 5, 2025
GHSA: GHSA-94g8-xv23-7656
Severity: Medium
Exploit:

No technical information available.

CWEs:

CWE-20
CWE-434

Affected Software
References

Software	From	Fixed in
com.vaadin / vaadin-upload-flow	2.0.0	14.13.1
com.vaadin / vaadin-upload-flow	23.0.0	23.6.2
com.vaadin / vaadin-upload-flow	24.0.0	24.7.7

https://github.com/vaadin/flow-components/commit/bfe9e507cdcc5d90a2312c8f0162f798a29ba635
https://github.com/vaadin/flow-components/pull/7616
https://github.com/vaadin/flow-components/security/advisories/GHSA-94g8-xv23-7656
https://vaadin.com/security/cve-2025-9467

Vulnerability Database

Vaadin Flow Components possible file bypass via upload validation on the server-side

Description

Deep Security Visibility Without the Complexity