CVE-2018-25007: 
Java vulnerability analysis and mitigation

CVE-2018-25007 is a security vulnerability affecting com.vaadin:flow-server versions 1.0.0 through 1.0.5 (Vaadin 10.0.0 through 10.0.7, and 11.0.0 through 11.0.2). The vulnerability was discovered and disclosed in 2018, with the CVE being assigned on April 13, 2021. The issue stems from a missing check in the UIDL request handler that allows attackers to update element property values through crafted synchronization messages (Vaadin Security).

The vulnerability is classified with a CVSS v3.1 base score of 2.6 (Low severity) with the following vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N. The issue is categorized as CWE-754: Improper Check for Unusual or Exceptional Conditions. The technical issue allows server-side element property values to be updated from the client in unexpected situations through fake synchronization messages. The server-side value was only updated in cases where the client filter was not set, while read-only and disabled element property updates remained blocked (Vaadin Security).

The vulnerability's impact is primarily focused on situations where template models contain beans in a list, allowing properties of the beans to be updated when not intended. The impact is limited as read-only and disabled element property updates were not affected by this issue. The vulnerability could affect logic that reads element property values and expects those to be immutable from the client side (Vaadin Security).

Users of affected versions are advised to upgrade to fixed versions. For Vaadin 10.0.0 - 10.0.7, users should upgrade to version 10.0.8 or newer. For Vaadin 11.0.0 - 11.0.2, users should upgrade to version 11.0.3 or newer. The flow-server component should be updated to version 1.0.6 or higher (Vaadin Security).