An authentication bypass vulnerability exists in Vaadin applications using Spring Security due to inconsistent path pattern matching of reserved framework paths. Accessing the `/VAADIN` endpoint without a trailing slash bypasses security filters, allowing unauthenticated users to trigger framework initialization and create sessions without proper authorization.
See CWE-284 Improper Access Control
Description
An authentication bypass vulnerability exists in Vaadin applications using Spring Security due to inconsistent path pattern matching of reserved framework paths. Accessing the `/VAADIN` endpoint without a trailing slash bypasses security filters, allowing unauthenticated users to trigger framework initialization and create sessions without proper authorization.
Affected products and mitigation
Users of affected versions should upgrade to a fixed version.
| Product version |
Mitigation |
|
|
|
|
|
|
|
|
Upgrade to 24.9.8 or newer
|
|
|
Upgrade to 25.0.2 or newer
|
Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, or 24 version.
Artifacts
| Maven coordinates |
Vulnerable version |
Fixed version |
| com.vaadin:flow-server |
2.0.0 - 2.13.0 |
≥2.13.1 |
| com.vaadin:flow-server |
23.0.0 - 23.6.7 |
≥23.6.8 |
| com.vaadin:flow-server |
24.0.0 - 24.9.7
|
≥24.9.8 |
| com.vaadin:flow-server |
|
≥25.0.2 |
References
- https://github.com/vaadin/flow/pull/22998
https://github.com/vaadin/flow/pull/23033
https://github.com/vaadin/flow/pull/23034
https://github.com/vaadin/flow/pull/23052
https://github.com/vaadin/flow/pull/23057