CVE-2025-9467

CVSS v4.0

5.3

Medium

Vector

AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/S:N/AU:N/R:U/V:D/RE:L/U:Green

Name of the Vulnerable Software and Affected Versions Vaadin versions 7.0.0 through 7.7.47 Vaadin versions 8.0.0 through 8.28.1 Vaadin versions 14.0.0 through 14.13.0 Vaadin versions 23.0.0 through 23.6.1 Vaadin versions 24.0.0 through 24.7.6

Description The Vaadin Upload component’s start listener validation can be bypassed when validating metadata for incoming uploads.

Recommendations Upgrade to Vaadin version 7.7.48 or newer. Upgrade to Vaadin version 8.28.2 or newer. Upgrade to Vaadin version 14.13.1 or newer. Upgrade to Vaadin version 23.6.2 or newer. Upgrade to Vaadin version 24.7.7 or newer.

Fix

Unrestricted File Upload

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-434CWE-20

Related Identifiers

CVE-2025-9467

GHSA-94G8-XV23-7656

GHSA-9GFH-4FWJ-W3RJ

GHSA-C7V7-RQFM-F44J

Affected Products

Vaadin 14.0.0

Vaadin 14.13.0

Vaadin 23.0.0

Vaadin 23.6.1

Vaadin 24.0.0

Vaadin 24.7.6

Vaadin 7.0.0

Vaadin 7.7.47

Vaadin 8.0.0

Vaadin 8.28.1

CVE-2025-9467

Weakness Enumeration

Related Identifiers

Affected Products

References · 16