Vaadin Security Advisories

Vaadin Flow and the axios npm supply-chain compromise

manolo@vaadin.com (Manuel Carrasco) — Fri, 17 Apr 2026 14:12:01 GMT

On March 31, 2026, compromised versions of the popular axios HTTP client library (1.14.1 and 0.30.4) were published to NPM via a hijacked maintainer account. The malicious versions injected plain-crypto-js@4.2.1, a cross-platform RAT dropper that connected to a command-and-control server. The compromised packages were live for approximately three hours (00:21 to 03:29 UTC) before NPM removed them from the registry.

No Vaadin packages, bundles, or build artifacts were affected by this incident.

CVE-2026-2742: Unauthorized Session Creation via Reserved Framework Path Access

manolo@vaadin.com (Manuel Carrasco) — Tue, 10 Mar 2026 12:12:18 GMT

An authentication bypass vulnerability exists in Vaadin applications using Spring Security due to inconsistent path pattern matching of reserved framework paths. Accessing the `/VAADIN` endpoint without a trailing slash bypasses security filters, allowing unauthenticated users to trigger framework initialization and create sessions without proper authorization.

CVE-2026-2741: Zip Slip Path Traversal on Node Unpack

manolo@vaadin.com (Manuel Carrasco) — Tue, 10 Mar 2026 12:11:53 GMT

Specially crafted ZIP archives can escape the intended extraction directory during Node.js download and extraction in Vaadin 14.2.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.8, and 25.0.0 through 25.0.2.

CVE-2025-15022: Cross-site scripting in Action caption

manolo@vaadin.com (Manuel Carrasco) — Mon, 05 Jan 2026 07:52:44 GMT

Action captions in Vaadin accept HTML by default but were not sanitized, potentially allowing Cross-site Scripting (XSS) if caption content is derived from user input.

React 19 Server Components Critical Vulnerability (CVE-2025-55182, CVE-2025-55183, CVE-2025-55184)

manolo@vaadin.com (Manuel Carrasco) — Tue, 09 Dec 2025 12:07:31 GMT

On December 3, 2025, the React team disclosed a critical remote code execution vulnerability (CVE-2025-55182, CVSS 10.0) affecting React 19 Server Components. This vulnerability has raised concerns among Vaadin users and security scanning tools.

Update: On December 11 and 12, 2025, two new vulnerabilities (CVE-2025-55183, CVSS 5.3, and CVE-2025-55184, CVSS 7.5) were reported affecting React 19 Server Components. The same explanation applies to both issues.

Vaadin products are NOT affected by these vulnerabilities under normal deployment configurations. This advisory clarifies Vaadin's architecture and identifies the rare circumstances where action might be needed.

ADVISORY-2025-09-26: Vaadin Flow, Hilla and the September 2025 npm supply-chain attacks

manolo@vaadin.com (Manuel Carrasco) — Fri, 26 Sep 2025 09:42:57 GMT

Recently two major npm supply-chain attacks have been reported, raising concerns about the safety of the broader software ecosystem, including for Vaadin users.

The first incident involved compromised maintainer accounts and malicious releases of widely used packages such as debug and chalk. The second, known as Shai-Hulud, used poisoned package versions and a self-replicating post-install script to steal developer credentials (npm tokens, GitHub PATs, cloud keys) and republish tainted packages from victim accounts, infecting 180+ packages. In November 2025, a more aggressive second wave, Shai-Hulud 2.0, compromised 700+ packages including projects from Zapier, PostHog, and Postman, using preinstall hooks that execute even on failed installations.

No Vaadin packages or bundles were affected in either attack.

CVE-2025-9467: Possibility to bypass file upload validation on the server-side

sami.ekblad@itmill.com (Sami Ekblad) — Wed, 03 Sep 2025 21:00:00 GMT

When the Vaadin Upload's start listener is used to validate metadata about an incoming upload, it is possible to bypass the upload validation.

Ingress-Nginx Admission Controller RCE Escalation

manolo@vaadin.com (Manuel Carrasco) — Mon, 31 Mar 2025 11:34:18 GMT

A security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

CVE-2023-25499: Possible information disclosure in non visible components

sami.ekblad@itmill.com (Sami Ekblad) — Thu, 22 Jun 2023 12:53:42 GMT

When adding non-visible components to the UI in server side, content is sent to the browser in Vaadin 10.0.0 through 10.0.22, 11.0.0 through 14.10.0, 15.0.0 through 22.0.28, 23.0.0 through 23.3.12, 24.0.0 through 24.0.5 and 24.1.0.alpha1 to 24.1.0.beta1, resulting in potential information disclosure.

Apache Commons FileUpload - DoS with excessive parts

sami.ekblad@itmill.com (Sami Ekblad) — Thu, 22 Jun 2023 12:53:25 GMT

Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.