N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-9467

GHSA ID

GHSA-9gfh-4fwj-w3rj

EPSS Score

0.29918%

CWE

CWE-20

Published

9/4/2025

Updated

9/4/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-9467

CVE-2025-9467: Vaadin Framework possible file bypass via upload validation on the server-side

Description

When the Vaadin Upload's start listener is used to validate metadata about an incoming upload, it is possible to bypass the upload validation. Users of affected versions should apply the upgrade to a more recent Vaadin version.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-9467

GHSA ID

GHSA-9gfh-4fwj-w3rj

EPSS Score

0.29918%

CWE

CWE-20

Published

9/4/2025

Updated

9/4/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.vaadin:vaadin-server	maven	>= 7.0.0, <= 7.7.47	7.7.48
com.vaadin:vaadin-server	maven	>= 8.0.0, <= 8.28.1	8.28.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a race condition in the file upload mechanism. The provided patch from commit bfe9e507cdcc5d90a2312c8f0162f798a29ba635 clearly shows the fix. The endUpload method in com.vaadin.flow.component.upload.Upload is modified to only reset the interrupted flag when all active uploads are complete (activeUploads == 0). Previously, it was reset after every single upload, creating a window where a file validation failure that should interrupt all uploads could be ignored for other files in the same batch. An attacker could exploit this by sending a batch of files where the first one triggers a validation error and an interruption, but a subsequent malicious file gets processed because the interruption is prematurely cleared. While the security advisory refers to older vaadin-server packages, the provided commit is for the newer vaadin-flow-components. The fundamental logic of the vulnerability is the same, and the endUpload function is the core of the flawed implementation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### **s*ription W**n t** V***in Uplo**'s st*rt list*n*r is us** to v*li**t* m*t***t* **out *n in*omin* uplo**, it is possi*l* to *yp*ss t** uplo** v*li**tion. Us*rs o* *****t** v*rsions s*oul* *pply t** up*r*** to * mor* r***nt V***in v*rsion.

Reasoning

T** vuln*r**ility is * r*** *on*ition in t** *il* uplo** m****nism. T** provi*** p*t** *rom *ommit `****************************************` *l**rly s*ows t** *ix. T** `*n*Uplo**` m*t*o* in `*om.v***in.*low.*ompon*nt.uplo**.Uplo**` is mo*i*i** to on

N/A

Basic Information

Concerned about an active attack path?

CVE-2025-9467: Vaadin Framework possible file bypass via upload validation on the server-side

Description

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI