GHSA-c7v7-rqfm-f44j: 
Java vulnerability analysis and mitigation

A moderate severity vulnerability (GHSA-c7v7-rqfm-f44j/CVE-2025-9467) was identified in the Vaadin Platform's Upload component, affecting versions 14.0.0-14.13.0, 23.0.0-23.6.1, and 24.0.0-24.7.6. The vulnerability was discovered and disclosed on September 4, 2025, allowing attackers to bypass file upload validation on the server-side when using the Upload's start listener to validate metadata about incoming uploads (Vaadin Advisory, GitHub Advisory).

The vulnerability has been assigned a CVSS v4.0 base score of 5.3 (Medium severity) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/S:N/AU:N/R:U/V:D/RE:L/U:Green. The vulnerability is classified under CWE-20 (Improper Input Validation), indicating that the application fails to properly validate input that can affect the control flow or data flow of a program (Vaadin Advisory).

The vulnerability affects the integrity and availability of the system with low impact, while having no impact on confidentiality. The vulnerability requires network access and low privileges to exploit, with no user interaction needed. The attack complexity is considered low, making it relatively straightforward to exploit (GitHub Advisory).

Users of affected versions should upgrade to the patched versions: 14.13.1 for version 14.x, 23.6.2 for version 23.x, or 24.7.7 for version 24.x. For users running versions 10-13 and 15-22, which are no longer supported, it is recommended to update to the latest 14, 23, or 24 version (Vaadin Advisory, GitHub Advisory).