Improper URL validation in development mode handler in
com.vaadin:flow-server versions 2.0.0 through 2.4.1 (Vaadin 14.0.0 through 14.4.2), and 3.0 prior to 5.0 (Vaadin 15 prior to 18) allows attacker to request arbitrary files stored outside of intended frontend resources folder.
See CWE-20: Improper Input Validation, CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
When running the webpack development server, it was possible to request files in the file system that are stored outside the intended frontend resources folder. This exposed two attack vectors:
- A developer running a Vaadin application locally in development mode could expose their file system to an attacker by visiting a malicious website.
- A developer running a Vaadin application locally in development mode and allowing it to be accessed from outside their own system, would expose their file system to the outside world.
The file system would be exposed to an attacker, if:
- A Vaadin application does not have production mode enabled and is missing webpack-compiled frontend resources, and
- the Vaadin application is deployed to a system on which it has access to a Node.js installation (or allows the installation of Node.js), and this causes the application startup to install and start the webpack development server on the system.
This issue is not present in Vaadin applications running in production mode: it only occurs when developing a Vaadin application and running the webpack development server.
Affected products and mitigation
Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:
|Vaadin 14.0.0 - 14.4.2
||Upgrade to 14.4.3 or newer version
|Vaadin 15 - 17
||No longer supported; Upgrade to 18.0.0 or newer version
Please note that Vaadin versions 15-17 are no longer supported and you should update either to the latest 18 version.
||2.0.0 - 2.4.1
||3.0 - 4.0