CVE-2025-9467
Vaadin Framework possible file bypass via upload validation on the server-side
EPSS 0.13%
Description
### Description When the Vaadin Upload's start listener is used to validate metadata about an incoming upload, it is possible to bypass the upload validation. Users of affected versions should apply the upgrade to a more recent Vaadin version.
How to fix CVE-2025-9467
To remediate CVE-2025-9467, upgrade the affected package to a fixed version below.
- Maven/com.vaadin:vaadin-server—upgrade to 7.7.48 or later
Is CVE-2025-9467 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 7.0.0, < 7.7.48
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/S:N/AU:N/R:U/V:D/RE:L/U:Green |