All vulnerability reports

Denial of service in third-party component in Vaadin 7 and 8

High (Base score 7.5) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H


Improper check for exceptional condition in a third party HTML handling library used in com.vaadin:vaadin-server versions 7.0.0 through 7.7.27 (Vaadin 7.0.0 through 7.7.27) and 8.0.0 through 8.13.3 (Vaadin 8.0.0 through Vaadin 8.13.3) allows network attackers to cause denial of service via unspecified vectors.

See CWE-400: Uncontrolled Resource Consumption


Improper check for exceptional condition was discovered in a third party HTML handling library org.jsoup:jsoup used as a transitive dependency in Vaadin 7 and 8 for sanitizing HTML. By crafting a invalid HTML input, an attacker could cause the server-side parsing logic to get stuck (loop indefinitely until cancelled) or to complete more slowly than usual. The vulnerability may impact service availability, but cannot not cause execution of untrusted code or disclosure of sensitive information.

Affected products and mitigation

Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:

Product version Mitigation
Vaadin 7.0.0 - 7.7.27 Upgrade to 7.7.28 or newer 7 version (Vaadin 7 extended maintenance)
Vaadin 8.0.0 - 8.13.3 Upgrade to 8.14.0 or newer 8 version

Please note that updating to Vaadin 7 is only available to extended-support customers.


Maven coordinates Vulnerable version Fixed version
com.vaadin:vaadin-server 7.0.0 - 7.7.27 ≥ 7.7.28
com.vaadin:vaadin-server 8.0.0 - 8.13.3 ≥ 8.14.0



  • 2021-10-27: Initial vulnerability report published