Vaadin Platform possible file bypass via upload validation on the server-side

Description

When the Vaadin Upload's start listener is used to validate metadata about an incoming upload, it is possible to bypass the upload validation. Users of affected versions should apply the upgrade to a more recent Vaadin version.

Published: Sep 4, 2025
Updated: Sep 5, 2025
GHSA: GHSA-c7v7-rqfm-f44j
Severity: Medium
Exploit:

No technical information available.

CWEs:

CWE-20
CWE-434

Affected Software
References

Software	From	Fixed in
com.vaadin / vaadin	14.0.0	14.13.1
com.vaadin / vaadin	23.0.0	23.6.2
com.vaadin / vaadin	24.0.0	24.7.7

https://github.com/vaadin/flow-components/commit/bfe9e507cdcc5d90a2312c8f0162f798a29ba635
https://github.com/vaadin/flow-components/pull/7616
https://github.com/vaadin/platform/security/advisories/GHSA-c7v7-rqfm-f44j
https://vaadin.com/security/cve-2025-9467

Vulnerability Database

Vaadin Platform possible file bypass via upload validation on the server-side

Description

Deep Security Visibility Without the Complexity