All vulnerability reports

Potential sensitive data exposure in applications using Vaadin 15

Low (Base score 3.1) CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
CVE entry:


Insecure configuration of default ObjectMapper in com.vaadin:flow-server versions 3.0.0 through 3.0.5 (Vaadin 15.0.0 through 15.0.4) may expose sensitive data if the application also uses e.g. @RestController

See CWE-200: Exposure of Sensitive Information to an Unauthorized Actor


The affected versions of Vaadin modify the default ObjectMapper bean in Spring to also expose private and protected properties. This can cause accidental exposure of sensitive data if the application also uses e.g. @RestController. Vaadin 15.0.5 fixes the problem by only modifying a separate ObjectMapper instance that isn't shared with other Spring functionality.

Affected products and mitigation

Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:

Product version Mitigation
Vaadin 15.0.0 - 15.0.4 Upgrade to 15.0.5 or newer version


Maven coordinates Vulnerable version Fixed version
com.vaadin:flow-server 3.0.0 - 3.0.5 ≥ 3.0.6


This issue was discovered and responsibly reported by Christian Knoop (



  • 2020-04-21: Initial vulnerability report published