Directory traversal in development mode handler in Vaadin 14 and 15-17

Improper URL validation in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.4.1 (Vaadin 14.0.0 through 14.4.2), and 3.0 prior to 5.0 (Vaadin 15 prior to 18) allows attacker to request arbitrary files stored outside of intended frontend resources folder.

See CWE-20: Improper Input Validation, CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Description

When running the webpack development server, it was possible to request files in the file system that are stored outside the intended frontend resources folder. This exposed two attack vectors:

• A developer running a Vaadin application locally in development mode could expose their file system to an attacker by visiting a malicious website.
• A developer running a Vaadin application locally in development mode and allowing it to be accessed from outside their own system, would expose their file system to the outside world.

The file system would be exposed to an attacker, if:

1. A Vaadin application does not have production mode enabled and is missing webpack-compiled frontend resources, and
2. the Vaadin application is deployed to a system on which it has access to a Node.js installation (or allows the installation of Node.js), and this causes the application startup to install and start the webpack development server on the system.

This issue is not present in Vaadin applications running in production mode: it only occurs when developing a Vaadin application and running the webpack development server.

Affected products and mitigation

Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:

Please note that Vaadin versions 15-17 are no longer supported and you should update either to the latest 18 version. 

Artifacts

References

• PR: https://github.com/vaadin/flow/pull/9392