-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
JavaJavaMiggo AIRoot Cause AnalysisThe vulnerability is a race condition in the file upload mechanism. The provided patch from commit bfe9e507cdcc5d90a2312c8f0162f798a29ba635 clearly shows the fix. The endUpload method in com.vaadin.flow.component.upload.Upload is modified to only reset the interrupted flag when all active uploads are complete (activeUploads == 0). Previously, it was reset after every single upload, creating a window where a file validation failure that should interrupt all uploads could be ignored for other files in the same batch. An attacker could exploit this by sending a batch of files where the first one triggers a validation error and an interruption, but a subsequent malicious file gets processed because the interruption is prematurely cleared. While the security advisory refers to older vaadin-server packages, the provided commit is for the newer vaadin-flow-components. The fundamental logic of the vulnerability is the same, and the endUpload function is the core of the flawed implementation.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| com.vaadin:vaadin-server | maven | >= 7.0.0, <= 7.7.47 | 7.7.48 |
| com.vaadin:vaadin-server | maven | >= 8.0.0, <= 8.28.1 | 8.28.2 |
Ongoing coverage of React2Shell