Upload Validation Bypass in Vaadin Framework by Vaadin Ltd.
CVE-2025-9467

5.3MEDIUM

Key Information:

Vendor: Vaadin
Status: Vaadin; Framework; Vaadin-upload-flow
Vendor: CVE Published:; 4 September 2025

What is CVE-2025-9467?

The Vaadin Framework has a vulnerability that allows an attacker to bypass the upload validation process when the Vaadin Upload's start listener is utilized for metadata validation of incoming uploads. This could lead to unauthorized file uploads and potential exploitation of the application. Users of affected versions are urged to apply recommended mitigation measures by upgrading to safe versions, which address this issue. Supported upgrades are available, including versions 7.7.48, 8.28.2, 14.13.1, 23.6.2, and 24.7.7 or newer. It is important to note that versions 10-13 and 15-22 are no longer supported, and users should transition to the latest versions for enhanced security.

Affected Version(s)

framework 7.0.0 <= 7.7.47

framework 8.0.0 <= 8.28.1

vaadin 14.0.0 <= 14.13.0

References

https://vaadin.com/security/cve-2025-0000

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 4, 2025
Vulnerability Reserved
Aug 25, 2025