Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after the user attempted to log out.
See CWE-613: Insufficient Session Expiration
Description
The vulnerability applies to Fusion applications where the logout() helper method in the Authentication.ts module is used and Spring CSRF protection is enabled for logging out.
Spring Security by default enables CSRF protection. When CSRF is enabled, it only allows HTTP POST requests for logging out. The CSRF protection for logging out can be disabled as in this example, but it is not recommended. The Fusion logout() helper in Authentication.ts of affected versions uses HTTP GET request to do logout, which does not invalidate the session when the CSRF token is enabled.
To address the issue, it is recommended to update the Vaadin version to the aforementioned maintenance versions where the issue is fixed.
Affected products and mitigation
Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:
| Product version |
Mitigation |
| Vaadin 18 |
No longer supported; Upgrade to 19.0.4 or newer 19 version |
| Vaadin 19.0.0 - 19.0.3 |
Upgrade to 19.0.4 or newer 19 version |
Please note that Vaadin 18 is no longer supported and you should update to the latest 19 version.
Artifacts
| Maven coordinates |
Vulnerable version |
Fixed version |
| com.vaadin:flow-client |
5.0 |
N/A |
| com.vaadin:flow-client |
6.0.0 - 6.0.4 |
≥ 6.0.5 |
References