{"id":"CVE-2021-31408","details":"Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after the user attempted to log out.","aliases":["GHSA-mr8h-j9cv-4m8h"],"modified":"2026-04-11T17:12:27.839986Z","published":"2021-04-23T17:15:08.260Z","references":[{"type":"ADVISORY","url":"https://vaadin.com/security/cve-2021-31408"},{"type":"FIX","url":"https://github.com/vaadin/flow/pull/10577"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/vaadin/flow","events":[{"introduced":"60b4fd8e59948e2a6a5f8af1988a3adc45563ffc"},{"fixed":"6a409a8b4b01b18dc2ca30c59395aeeb0cffbd2c"},{"introduced":"6a409a8b4b01b18dc2ca30c59395aeeb0cffbd2c"},{"fixed":"815b967fc84fefa8d3a4d72b9a036f48b0d96326"}],"database_specific":{"versions":[{"introduced":"5.0.0"},{"fixed":"6.0.0"},{"introduced":"6.0.0"},{"fixed":"6.0.5"}]}},{"type":"GIT","repo":"https://github.com/vaadin/vaadin","events":[{"introduced":"3981409421683b6f4a796f37b67433d36b6a7ca1"},{"fixed":"282c9471b4846bfae98447dbebe9d3be24495ab6"},{"introduced":"0"},{"last_affected":"a5bc6b4832e649fb16243e2bc0ee9b2941815e3b"}],"database_specific":{"versions":[{"introduced":"19.0.0"},{"fixed":"19.0.4"},{"introduced":"0"},{"last_affected":"18.0.0-NA"}]}}],"versions":["6.0.0","6.0.0.rc1","6.0.1","6.0.2","6.0.3","6.0.4","v10.0.0","v10.0.0-alpha10","v10.0.0-alpha11","v10.0.0-alpha12","v10.0.0-alpha13","v10.0.0-alpha14","v10.0.0-alpha15","v10.0.0-alpha16","v10.0.0-alpha17","v10.0.0-alpha18","v10.0.0-alpha19","v10.0.0-alpha20","v10.0.0-alpha21","v10.0.0-alpha22","v10.0.0-alpha23","v10.0.0-alpha5","v10.0.0-alpha6","v10.0.0-alpha7","v10.0.0-alpha8","v10.0.0-alpha9","v10.0.0-beta1","v10.0.0-beta10","v10.0.0-beta11","v10.0.0-beta2","v10.0.0-beta3","v10.0.0-beta4","v10.0.0-beta5","v10.0.0-beta6","v10.0.0-beta7","v10.0.0-beta8","v10.0.0-beta9","v10.0.0-rc1","v10.0.0-rc2","v10.0.0-rc3","v10.0.0-rc4","v10.0.0-rc5","v10.0.1","v10.0.2","v11.0.0-alpha1","v11.0.0-beta1","v12.0.0","v12.0.0-alpha1","v12.0.0-alpha2","v12.0.0-alpha3","v12.0.0-alpha4","v12.0.0-alpha5","v12.0.0-beta1","v12.0.0-beta2","v12.0.1","v12.0.2","v13.0.0","v13.0.0-alpha1","v13.0.0-alpha2","v13.0.0-alpha3","v13.0.0-alpha4","v13.0.0-beta1","v13.0.0-beta2","v13.0.0-beta3","v13.0.1","v14.0.0","v14.0.0-alpha1","v14.0.0-alpha2","v14.0.0-alpha3","v14.0.0-alpha4","v14.0.0-beta1","v14.0.0-beta2","v14.0.0-beta3","v14.0.0-rc1","v14.0.0-rc2","v14.0.0-rc3","v14.0.0-rc4","v14.0.0-rc5","v14.0.0-rc6","v14.0.0-rc7","v14.0.0-rc8","v14.0.0-rc9","v14.0.1","v14.0.2","v15.0.0-alpha1","v15.0.0-alpha10","v15.0.0-alpha11","v15.0.0-alpha12","v15.0.0-alpha13","v15.0.0-alpha14","v15.0.0-alpha15","v15.0.0-alpha2","v15.0.0-alpha3","v15.0.0-alpha4","v15.0.0-alpha5","v15.0.0-alpha6","v15.0.0-alpha7","v15.0.0-alpha8","v15.0.0-alpha9","v15.0.0-beta1","v15.0.0-beta2","v15.0.0-beta3","v15.0.0-beta4","v15.0.0-beta5","v15.0.0-rc1","v16.0.0-alpha1","v16.0.0-alpha2","v16.0.0-alpha3","v17.0.0","v17.0.0-alpha1","v17.0.0-alpha2","v17.0.0-alpha3","v17.0.0-alpha4","v17.0.0-alpha5","v17.0.0-alpha6","v17.0.0-alpha7","v17.0.0-beta1","v17.0.0-beta2","v17.0.0-beta3","v17.0.0-rc1","v17.0.0-rc2","v18.0.0","v18.0.0-alpha1","v18.0.0-beta1","v18.0.0-beta2","v18.0.0-beta3","v18.0.0-rc1","v18.0.0-rc2","v19.0.0","v19.0.1","v19.0.2","v19.0.3","v2.0.0-alpha1","v2.0.0-alpha2","v2.0.0-alpha3"],"database_specific":{"vanir_signatures":[{"target":{"function":"collectChanges","file":"flow-server/src/main/java/com/vaadin/flow/internal/nodefeature/NodeList.java"},"signature_type":"Function","source":"https://github.com/vaadin/flow/commit/6a409a8b4b01b18dc2ca30c59395aeeb0cffbd2c","digest":{"length":1251,"function_hash":"95895721501235828134604377938523968589"},"id":"CVE-2021-31408-0f722b11","deprecated":false,"signature_version":"v1"},{"target":{"file":"flow-server/src/test/java/com/vaadin/flow/server/communication/IndexHtmlRequestHandlerTest.java"},"signature_type":"Line","source":"https://github.com/vaadin/flow/commit/815b967fc84fefa8d3a4d72b9a036f48b0d96326","digest":{"threshold":0.9,"line_hashes":["301385501104286487236082474253944597235","33209595235755426172916430696119825081","20130507728000689394003554922185758202","27648121960375167056664220454613286655","333238594463227270340145318059775157759","162426196315294167714190241247049851805","143108685391574631857168530404470296537","289525921492748990051647339521813580169","196691798456890731011850001610931258878","94015583440665660485056429945279570936","233631714151873210613941553197754484653","339847406786329252231261177293433668469","158451126977230762946940923398983625055","158561942680941256530785398242166653410","304251129949362873653769766125841361873","308380952411650632855764156023128986748","239397498041292766278781133946454103885","237104372402625998198687946668778901177","106995218599822985345613317210655828759","292843368295729651396147701559040228668","340030634345836298512821769515880812703","41399387311399976888416394535194411084","331740420109745386061601803818086353335","8884998506346186952570742046383395492","139933011338285433419770049601160816830","98720156670210664928699433727468960320"]},"id":"CVE-2021-31408-3cbf096d","deprecated":false,"signature_version":"v1"},{"target":{"file":"flow-server/src/main/java/com/vaadin/flow/server/communication/IndexHtmlRequestHandler.java"},"signature_type":"Line","source":"https://github.com/vaadin/flow/commit/815b967fc84fefa8d3a4d72b9a036f48b0d96326","digest":{"threshold":0.9,"line_hashes":["88761532408362104243124548915240472006","26115545497482520410577718690440502402","11174849024622262841416345250865283229","84528676154298864545152016826230750574","278489075895345417307043855328577458086","184248164895372040317975779425110459888","219023934169466880833981601434994954349","121090698278751340858756785343313231219","2484675577778871304649568792269367086","472646401238229835898262101224063639","294378466201656383580273847132248219927","292359602663621118239833079456516038129","312436184117340029061677700511925478592","202899740439789292065858729706882250942","74406980481203728174455280537256204485","338995141612628595560954631266444936498","12714896774079731942982039562409971795"]},"id":"CVE-2021-31408-92f44d17","deprecated":false,"signature_version":"v1"},{"target":{"function":"addInitialFlow","file":"flow-server/src/main/java/com/vaadin/flow/server/communication/IndexHtmlRequestHandler.java"},"signature_type":"Function","source":"https://github.com/vaadin/flow/commit/815b967fc84fefa8d3a4d72b9a036f48b0d96326","digest":{"length":503,"function_hash":"226243603720421541345503239346751960012"},"id":"CVE-2021-31408-a66e3a91","deprecated":false,"signature_version":"v1"},{"target":{"function":"generateChangesFromEmpty","file":"flow-server/src/main/java/com/vaadin/flow/internal/nodefeature/NodeList.java"},"signature_type":"Function","source":"https://github.com/vaadin/flow/commit/6a409a8b4b01b18dc2ca30c59395aeeb0cffbd2c","digest":{"length":347,"function_hash":"237078465224501216918970658909492001450"},"id":"CVE-2021-31408-b1cb02ae","deprecated":false,"signature_version":"v1"},{"target":{"file":"flow-server/src/main/java/com/vaadin/flow/internal/nodefeature/NodeList.java"},"signature_type":"Line","source":"https://github.com/vaadin/flow/commit/6a409a8b4b01b18dc2ca30c59395aeeb0cffbd2c","digest":{"threshold":0.9,"line_hashes":["166633409631087626290913396734732436812","197369469223622540360828579482267148736","195140222273805224304426140183017972196","13725961261785800399221674383562159069","254809120351719464142745237772450809857","218073233907562093408731433265810115800","115598401893538929146075788865948813998","125696343857202907446740191536897790877","160714507295608243343753244293991626370","193520768097641661616424740431266394537","69994674005437863081726701270029049220","290354615757599555553062985667031195999","309531406710090212504351233874492144018","168869688385432029114419295455521740678","63934125460227180648737009602041294572","85556528253725332217195246397880446410","4550144445281353063207849036130384881","195696388440559866788998827604886889942","9141715159019342845708092688719018889","219517428722783548000327656944996394349","263174819385655843558517354193042800341","278628717958162781159499401632548149642","212108074043554686633359082740911042134","169975297854300739114179273258741891957","205737623842655635335622360341037817920","307280477213297565963444080109690997162","91811661610476284181762024379518805152","65259493187650283740785656083088485279","211259311801906745895310484723471516931","267825787843750070483517773643359595816","332891950888997778239207210083009721465","157413110011444433218980576423685117638","293332030890763288991054245397386344559","168725237606573335312901823970827696098","78467309573778413904335907284488736014","120630796013142002430213040883762815456"]},"id":"CVE-2021-31408-f3fc00e1","deprecated":false,"signature_version":"v1"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-31408.json","vanir_signatures_modified":"2026-04-11T17:12:27Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"}]}