GHSA-94g8-xv23-7656: 
Java vulnerability analysis and mitigation

A moderate severity vulnerability (CVE-2025-9467) was discovered in Vaadin Flow Components, specifically affecting the Upload component's validation mechanism. The vulnerability affects multiple versions including 2.0.0-14.13.0, 23.0.0-23.6.1, and 24.0.0-24.7.6 of the vaadin-upload-flow package. The issue was disclosed on September 4, 2025, and allows attackers to potentially bypass file upload validation on the server-side when using the Upload's start listener (Vaadin Advisory).

The vulnerability has been assigned a CVSS v4.0 base score of 5.3 (Medium) with the following vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/S:N/AU:N/R:U/V:D/RE:L/U:Green. The issue is classified under CWE-20 (Improper Input Validation) and CWE-434 (Unrestricted Upload of File with Dangerous Type), indicating that the vulnerability stems from inadequate validation of input data during file upload processes (GitHub Advisory).

The vulnerability affects the integrity and availability of the system with low impact, while maintaining no impact on confidentiality. When exploited, it allows attackers to bypass validation mechanisms intended to restrict file uploads, potentially leading to unauthorized file uploads on the server (Vaadin Advisory).

Users are advised to upgrade to the patched versions: 14.13.1, 23.6.2, or 24.7.7 depending on their current version. For users running versions 10-13 and 15-22, which are no longer supported, it is recommended to update to the latest 14, 23, or 24 version. The vulnerability has been fixed in the following releases: Vaadin 7.7.48, 8.28.2, 14.13.1, 23.6.2, and 24.7.7 (Vaadin Advisory).