Vulnerability	Vulnerable Version
L Directory Traversal Affected versions of this package are vulnerable to Directory Traversal via the `extractZipArchive()` function when downloading and extracting Node.js archives. An attacker can create or modify files outside the intended extraction directory by intercepting or controlling the Node.js download and serving a specially crafted ZIP archive containing path traversal sequences. Note: This is only exploitable if the system does not have a compatible Node.js version preinstalled globally, allowing the build process to automatically download and extract Node.js. How to fix Directory Traversal? Upgrade `com.vaadin:flow-server` to version 2.13.1, 23.6.8, 24.9.10 or higher.	[2.0.0,2.13.1)[3.0.0,23.6.8)[24.0.0,24.9.10)
M Access Control Bypass Affected versions of this package are vulnerable to Access Control Bypass due to inconsistent path pattern matching of reserved framework paths. An attacker can create unauthorized sessions and trigger framework initialization by accessing the `/VAADIN` endpoint without a trailing slash, thereby bypassing security filters. How to fix Access Control Bypass? Upgrade `com.vaadin:flow-server` to version 23.6.7, 24.9.8, 25.0.2 or higher.	[23.0.0,23.6.7)[24.0.0,24.9.8)[25.0.0-beta1,25.0.2)

Directory Traversal

Affected versions of this package are vulnerable to Directory Traversal via the extractZipArchive() function when downloading and extracting Node.js archives. An attacker can create or modify files outside the intended extraction directory by intercepting or controlling the Node.js download and serving a specially crafted ZIP archive containing path traversal sequences.

Note:

This is only exploitable if the system does not have a compatible Node.js version preinstalled globally, allowing the build process to automatically download and extract Node.js.

How to fix Directory Traversal?

Upgrade com.vaadin:flow-server to version 2.13.1, 23.6.8, 24.9.10 or higher.

[2.0.0,2.13.1)[3.0.0,23.6.8)[24.0.0,24.9.10)

Access Control Bypass

Affected versions of this package are vulnerable to Access Control Bypass due to inconsistent path pattern matching of reserved framework paths. An attacker can create unauthorized sessions and trigger framework initialization by accessing the /VAADIN endpoint without a trailing slash, thereby bypassing security filters.

How to fix Access Control Bypass?

Upgrade com.vaadin:flow-server to version 23.6.7, 24.9.8, 25.0.2 or higher.

[23.0.0,23.6.7)[24.0.0,24.9.8)[25.0.0-beta1,25.0.2)

Go back to all versions of this package