{"id":"CVE-2025-9467","summary":"Possibility to bypass file upload validation on the server-side","details":"When the Vaadin Upload's start listener is used to validate metadata about an incoming upload, it is possible to bypass the upload validation. \n\n\nUsers of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:\n\nProduct version\nVaadin 7.0.0 - 7.7.47\nVaadin 8.0.0 - 8.28.1\nVaadin 14.0.0 - 14.13.0\nVaadin 23.0.0 - 23.6.1\nVaadin 24.0.0 - 24.7.6\n\nMitigation\nUpgrade to 7.7.48\nUpgrade to 8.28.2\nUpgrade to 14.13.1\nUpgrade to 23.6.2\nUpgrade to 24.7.7 or newer\n\nPlease note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24 version.\n\nArtifacts     Maven coordinatesVulnerable versionsFixed versioncom.vaadin:vaadin-server\n7.0.0 - 7.7.47\n≥7.7.48\ncom.vaadin:vaadin-server\n8.0.0 - 8.28.1\n≥8.28.2\ncom.vaadin:vaadin\n14.0.0 - 14.13.0\n≥14.13.1\ncom.vaadin:vaadin23.0.0 - 23.6.1\n≥23.6.2\ncom.vaadin:vaadin24.0.0 - 24.7.6\n≥24.7.7com.vaadin:vaadin-upload-flow\n2.0.0 - 14.13.0\n≥14.13.1\ncom.vaadin:vaadin-upload-flow\n23.0.0 - 23.6.1\n≥23.6.2\ncom.vaadin:vaadin-upload-flow\n24.0.0 - 24.7.6\n≥24.7.7","aliases":["GHSA-9gfh-4fwj-w3rj"],"modified":"2026-07-08T08:12:40.153343373Z","published":"2025-09-04T06:15:47.336Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/9xxx/CVE-2025-9467.json","cwe_ids":["CWE-20"],"cna_assigner":"Vaadin"},"references":[{"type":"WEB","url":"https://repo.maven.apache.org/maven2"},{"type":"WEB","url":"https://vaadin.com/security/cve-2025-9467"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/9xxx/CVE-2025-9467.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-9467"},{"type":"PACKAGE","url":"https://github.com/vaadin/flow-components"},{"type":"PACKAGE","url":"https://github.com/vaadin/framework"},{"type":"PACKAGE","url":"https://github.com/vaadin/platform"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/vaadin/flow-components","events":[{"introduced":"0"},{"last_affected":"80c02eb92995ba70d3a7787f1f5c976909716d44"},{"introduced":"fb38129cc7d03bb179e626e551fa140c7fc77547"},{"last_affected":"8cfaac2880c9c7eed175f34a0282d4bb3bb5f34d"},{"introduced":"f86528dc71f22a535a8172fafca6fe128d3b89da"},{"last_affected":"758a9895c6fed9306a77441eae014b2b9fbf2a64"}],"database_specific":{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"14.0.0"},{"last_affected":"14.13.0"},{"introduced":"23.0.0"},{"last_affected":"23.6.1"},{"introduced":"24.0.0"},{"last_affected":"24.7.6"}]}}],"versions":["23.6.2","23.6.1","14.13.0.alpha1","14.13.0","23.6.0","24.7.6","24.7.5","23.5.17","23.5.16","23.6.0.alpha1","14.12.8","24.7.4","24.7.3","24.7.2","14.12.7","23.5.15","24.7.1","24.7.0.rc2","24.7.0","24.7.0.rc1","14.12.6","24.7.0.beta2","24.7.0.beta1","24.7.0.alpha12","14.12.5","24.7.0.alpha11","24.7.0.alpha10","24.7.0.alpha9","24.7.0.alpha8","24.7.0.alpha7","24.7.0.alpha6","24.7.0.alpha5","24.7.0.alpha4","24.7.0.alpha3","14.12.4","23.5.14","24.7.0.alpha2","24.7.0.alpha1","23.5.13","24.6.0.beta3","14.12.3","23.5.12","24.6.0.beta2","23.5.11","23.5.10","24.6.0.beta1","24.6.0.alpha4","24.6.0.alpha3","23.5.9","23.5.8","24.6.0.alpha2","14.12.2","24.6.0.alpha1","24.5.0.rc1","24.5.0.beta6","23.5.7","14.12.1","24.5.0.beta5","24.5.0.beta4","24.5.0.beta3","24.5.0.beta2","23.5.6","23.5.5","24.5.0.beta1","24.5.0.alpha17","24.5.0.alpha16","24.5.0.alpha15","24.5.0.alpha14","24.5.0.alpha13","24.5.0.alpha12","24.5.0.alpha11","23.5.4","24.5.0.alpha10","14.12.0","24.5.0.alpha9","14.12.0.rc1","14.12.0.beta1","14.12.0.alpha1","23.5.3","24.5.0.alpha8","24.5.0.alpha7","24.5.0.alpha6","24.5.0.alpha5","23.5.2","24.5.0.alpha4","24.5.0.alpha3","14.11.11","14.11.10","23.5.1","24.5.0.alpha2","24.5.0.alpha1","14.11.9","24.4.0.beta1","24.4.0.alpha25","24.4.0.alpha24","14.11.8","14.11.7","24.4.0.alpha23","24.4.0.alpha22","23.5.0","23.5.0.alpha1","24.4.0.alpha21","24.4.0.alpha20","24.4.0.alpha19","24.4.0.alpha18","24.4.0.alpha17","24.4.0.alpha16","24.4.0.alpha15","14.11.6","24.4.0.alpha14","14.11.5","24.4.0.alpha13","24.4.0.alpha11","23.4.0","24.4.0.alpha10","24.4.0.alpha9","23.4.0.beta1","24.4.0.alpha8","24.4.0.alpha7","14.11.4","24.4.0.alpha6","14.11.3","24.4.0.alpha5","24.4.0.alpha4","24.4.0.alpha3","23.4.0.alpha2","14.11.2","24.4.0.alpha2","24.4.0.alpha1","14.11.1","14.11.0","23.4.0.alpha1","14.11.0.alpha2","24.3.0","24.3.0.rc1","24.3.0.beta1","24.3.0.alpha6","24.3.0.alpha5","24.3.0.alpha4","24.3.0.alpha3","24.3.0.alpha2","24.3.0.alpha1","23.3.26","23.3.25","23.3.24","14.11.0.alpha1","24.2.0.alpha11","23.3.23","23.3.22","24.2.0.alpha10","24.2.0.alpha9","23.3.21","23.3.20","24.2.0.alpha8","24.2.0.alpha7","24.2.0.alpha6","24.2.0.alpha5","23.3.19","23.3.18","24.2.0.alpha4","23.3.17","24.2.0.alpha3","23.3.16","24.2.0.alpha2","14.10.2","14.10.1","23.3.15","24.2.0.alpha1","23.3.14","23.3.13","14.10.0","24.1.0.beta1","24.1.0.alpha6","24.1.0.alpha5","23.3.12","24.1.0.alpha4","14.10.0.beta1","14.10.0.alpha3","23.3.11","23.3.10","24.1.0.alpha3","24.1.0.alpha2","23.3.9","24.1.0.alpha1","23.3.8","14.10.0.alpha2","23.3.7","14.9.6","14.9.5","14.9.4","14.10.0.alpha1","23.3.6","24.0.0.beta1","24.0.0.alpha10","23.3.5","23.3.4","24.0.0.alpha9","23.3.3","24.0.0.alpha8","24.0.0.alpha7","23.3.2","23.3.1","23.3.0","24.0.0.alpha6","14.9.3","14.9.2","23.3.0.rc1","23.3.0.beta2","24.0.0.alpha5","23.3.0.beta1","23.3.0.alpha3","24.0.0.alpha4","24.0.0.alpha3","23.3.0.alpha2","14.9.1","14.9.0.rc1","14.9.0","24.0.0.alpha2","14.9.0.beta1","24.0.0.alpha1","14.9.0.alpha1","23.3.0.alpha1","14.8.18","14.8.17","23.2.0","14.8.16","14.8.15","23.2.0.rc1","23.2.0.beta4","23.2.0.beta3","23.2.0.beta2","23.2.0.beta1","23.2.0.alpha3","23.2.0.alpha2","14.8.14","23.2.0.alpha1","14.8.13","14.8.12","14.8.11","14.8.10","23.1.0.beta1","23.1.0.alpha4","14.8.9","14.8.8","23.1.0.alpha3","23.1.0.alpha2","23.1.0.alpha1","14.8.7","14.8.6","14.8.5","23.0.0","14.8.4","14.8.3","14.8.2","14.8.1","14.8.0","14.8.0.beta1","14.8.0.alpha1","14.7.0.rc1","14.7.0.beta1","14.7.0.alpha3","14.7.0.alpha2","14.7.0.alpha1","14.6.0.beta2","14.6.0.beta1","14.6.0.alpha2","14.6.0.alpha1","14.5.0.rc1","14.5.0.beta1","14.5.0.alpha3","14.5.0.alpha2","14.5.0.alpha1","14.4.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-9467.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/vaadin/framework","events":[{"introduced":"b29ce01468ed115e942105986da362d665408033"},{"last_affected":"517302323c6a50a81924fc873272b39702c2fdfb"},{"introduced":"fb74e3d03793a7f9c433a7be583d55e3e2d1c35d"},{"last_affected":"e310099595309ce730336f940326d878a16731f4"}],"database_specific":{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"7.0.0"},{"last_affected":"7.7.47"},{"introduced":"8.0.0"},{"last_affected":"8.28.1"}]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-9467.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/S:N/AU:N/R:U/V:D/RE:L/U:Green"}]}