GHSA-c7v7-rqfm-f44j: Vaadin Platform possible file bypass via upload validation on the server-side
When the Vaadin Upload’s start listener is used to validate metadata about an incoming upload, it is possible to bypass the upload validation. Users of affected versions should apply the upgrade to a more recent Vaadin version.
References
- github.com/advisories/GHSA-c7v7-rqfm-f44j
- github.com/vaadin/flow-components/commit/bfe9e507cdcc5d90a2312c8f0162f798a29ba635
- github.com/vaadin/flow-components/pull/7616
- github.com/vaadin/platform
- github.com/vaadin/platform/security/advisories/GHSA-c7v7-rqfm-f44j
- nvd.nist.gov/vuln/detail/CVE-2025-9467
- vaadin.com/security/cve-2025-9467
Code Behaviors & Features
Detect and mitigate GHSA-c7v7-rqfm-f44j with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →