CVE-2025-9467
EPSS 0.13%Vaadin Framework possible file bypass via upload validation on the server-side
發布日:2025/9/4修改日:2025/9/4
描述
### Description When the Vaadin Upload's start listener is used to validate metadata about an incoming upload, it is possible to bypass the upload validation. Users of affected versions should apply the upgrade to a more recent Vaadin version.
受影響套件(1)
- Maven/com.vaadin:vaadin-server>= 7.0.0, < 7.7.48
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/S:N/AU:N/R:U/V:D/RE:L/U:Green |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-9467
- PATCHhttps://github.com/vaadin/framework
- WEBhttps://github.com/vaadin/flow-components/commit/bfe9e507cdcc5d90a2312c8f0162f798a29ba635
- WEBhttps://github.com/vaadin/flow-components/pull/7616
- WEBhttps://github.com/vaadin/framework/security/advisories/GHSA-9gfh-4fwj-w3rj
- WEBhttps://vaadin.com/security/cve-2025-9467