Vaadin is committed to resolving vulnerabilities to meet the needs of its customers and the broader technology community. This page describes Vaadin's policy for receiving reports related to potential security vulnerabilities in its products and services and the company’s standard practice with regards to informing customers of verified vulnerabilities.

When to contact the security emergency response team

Contact the Vaadin Product Security Incident Response Team (PSIRT) by sending email to in the following situations:

  • You have identified a potential security vulnerability with one of our products;
  • You have identified a potential security vulnerability with one of our services.

To ensure confidentiality, we encourage you to encrypt any sensitive information you send to us via email. We are equipped to receive messages encrypted using S/MIME. You can download a copy of the certificate that can be used to send encrypted email to us: security_vaadin_com.p7b.

The email address is intended ONLY for the purposes of reporting product or service security vulnerabilities. It is not for technical support information on our products or services. All content other than that specific to security vulnerabilities in our products or services will be dropped. For technical and customer support inquiries, please use Stack Overflow or create an issue in the corresponding GitHub repository.

Vaadin PSIRT will confirm receipt of your report within three business days. We will work with internal teams to verify the finding and respond in a timely manner with an update or request for additional information.

Receiving security information from Vaadin

Technical security information about our products and services is distributed through several channels.

  • Vaadin distributes information to customers about security vulnerabilities via the page, GitHub security advisories (where applicable) and by email to registered users. In most cases, we will issue a notice when we have identified a practical workaround or fix for the particular security vulnerability though there can be instances when we issue a notice in the absence of a workaround when the vulnerability has become widely known to the security community.

    As each security vulnerability case is different, we can take alternative actions in connection with issuing security notices. Vaadin can determine to accelerate or delay the release of a notice or not issue a notice at all. Vaadin does not guarantee that security notices will be issued for any or all security issues customers can consider significant or that notices will be issued on any specific timetable.

  • Security-related information can also be distributed by Vaadin to public newsgroups or electronic mailing lists. This is done on a case-by-case basis, depending on how Vaadin perceives the relevance of each notice to each particular forum.

  • Vaadin works with the formal incident response community to distribute information. Many company security notices are distributed by regional CSIRT at the same time that they are sent through company information distribution channels.

All aspects of this process are subject to change without notice, as well as to case-by-case exceptions. No particular level of response is guaranteed for any specific issue or class of issues.

Vulnerability reports

Date Severity Reference Description
2023-06-22 Medium CVE-2023-25499 Possible information disclosure in non visible components
2023-06-22 High ADVISORY-2023-06-22 Apache Commons FileUpload - DoS with excessive parts
2023-06-22 Low CVE-2023-25500 Possible information disclosure of class and method names in RPC response
2022-05-24 Medium CVE-2022-29567 Possible information disclosure inside TreeGrid component with default data provider
2022-04-01 Critical ADVISORY-2022-04-01 Spring Core Remote Code Execution via Data Binding on JDK 9+
2021-11-01 Medium CVE-2021-33611 Reflected cross-site scripting in vaadin-menu-bar webjar resources in Vaadin 14
2021-10-27 High ADVISORY-2021-10-27 Denial of service in third-party component in Vaadin 7 and 8
2021-10-13 Medium CVE-2021-33609 Denial of service in DataCommunicator class in Vaadin 8
2021-08-24 Medium CVE-2021-33605 Unauthorized property update in CheckboxGroup component in Vaadin 12-14 and 15-20
2021-06-24 Low CVE-2021-33604 Reflected cross-site scripting in development mode handler in Vaadin 14, 15-19
2021-06-24 Medium CVE-2021-31412 Possible route enumeration in production mode via RouteNotFoundError view in Vaadin 10, 11-14, and 15-19
2021-05-04 Medium CVE-2021-31411 Insecure temporary directory usage in frontend build functionality of Vaadin 14 and 15-19
2021-04-30 High CVE-2021-31409 Regular expression Denial of Service (ReDoS) in EmailValidator class in V7 compatibility module in Vaadin 8
2021-04-22 High CVE-2021-31410 Project sources exposure in Vaadin Designer
2021-04-20 Medium CVE-2021-31408 Server session is not invalidated when logout() helper method of Authentication module is used in Vaadin 18-19
2021-03-29 High CVE-2021-31407 Server classes and resources exposure in OSGi applications using Vaadin 12-14 and 19
2021-03-19 Medium CVE-2021-31406 Timing side channel vulnerability in endpoint request handler in Vaadin 15-19
2021-03-11 High CVE-2021-31405 Regular expression denial of service (ReDoS) in EmailField component in Vaadin 14 and 15-17
2021-02-17 Medium CVE-2021-31404 Timing side channel vulnerability in UIDL request handler in Vaadin 10, 11-14, and 15-18
2021-02-12 Medium CVE-2021-31403 Timing side channel vulnerability in UIDL request handler in Vaadin 7 and 8
2020-11-26 Medium CVE-2020-36321 Directory traversal in development mode handler in Vaadin 14 and 15-17
2020-10-08 High CVE-2020-36320 Regular expression denial of service (ReDoS) in EmailValidator class in Vaadin 7
2020-04-21 Low CVE-2020-36319 Potential sensitive data exposure in applications using Vaadin 15
2019-07-04 Medium CVE-2019-25028 Stored cross-site scripting in Grid component in Vaadin 7 and 8
2019-05-27 Medium CVE-2019-25027 Reflected cross-site scripting in default RouteNotFoundError view in Vaadin 10 and 11-13
2018-11-29 Low CVE-2018-25007 Unauthorized client-side property update in UIDL request handler in Vaadin 10 and 11
2018-11-13 Notice ADVISORY-2018-11-13 Potential deserialization of untrusted data in Vaadin 7 and 8 when JMX or RMI are enabled
2017-05-11 High ADVISORY-2017-05-11 Denial of service in UIDL request handler in Vaadin 7 and 8