CVE-2021-31406

Name of the Vulnerable Software and Affected Versions com.vaadin:flow-server versions 3.0.0 through 5.0.3 com.vaadin:fusion-endpoint version 6.0.0

Description The issue is related to a non-constant-time comparison of CSRF tokens in the endpoint request handler. This allows an attacker to guess a security token for Fusion endpoints via a timing attack.

Recommendations For com.vaadin:flow-server versions 3.0.0 through 5.0.3, update to a version outside of this range to mitigate the risk. For com.vaadin:fusion-endpoint version 6.0.0, update to a version other than 6.0.0 to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable endpoint request handler until a patch is available.