-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from using Object::toString() as the default key provider in TreeGrid's data communication. The GitHub PR #3046 shows the fix replaced this with numeric IDs, explicitly addressing the toString() exposure. The affected methods are core data provider initialization points in TreeGrid.java, where the default key provider would be set unless explicitly overridden. The high confidence comes from direct evidence in commit messages and the patching strategy focused on these methods.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| com.vaadin:vaadin | maven | >= 14.8.5, < 14.8.10 | 14.8.10 |
| com.vaadin:vaadin | maven | >= 22.0.6, < 22.0.15 | 22.0.15 |
| com.vaadin:vaadin | maven | >= 23.0.0, < 23.0.9 | 23.0.9 |
| com.vaadin:vaadin-grid-flow | maven | >= 14.8.5, < 14.8.10 | 14.8.10 |
| com.vaadin:vaadin-grid-flow | maven | >= 22.0.6, < 22.0.15 | 22.0.15 |
| com.vaadin:vaadin-grid-flow | maven | >= 23.0.0.beta2, < 23.0.9 | 23.0.9 |
JavaJavaOngoing coverage of React2Shell