Possible information disclosure of environment variables in Vaadin Build Plugins via Failed Frontend Build
Severity:
Low (Base score 1.6) CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N/E:U
CVE entry:
Overview
A security vulnerability in the Vaadin Maven plugin and Vaadin Gradle plugin exposes the full set of environment variables in build logs whenever the frontend build process exits with a non-zero status.
See CWE-209 Generation of Error Message Containing Sensitive Information
Description
A possible information disclosure vulnerability exists in the way the Vaadin build plugins report failures of the frontend build step. Under normal circumstances the frontend build runs to completion and produces no diagnostic output beyond the build tool's own messages. When the frontend build fails, however, the plugin produces an error that includes the full set of environment variables available to the build process. These values are written to the standard build output, where they end up in CI logs and any artifacts that capture build output.
Because the build environment might contain credentials supplied as secrets, any failed frontend build exposes those secrets in clear text. Although CI providers apply secret masking to their logs, manually archived build logs in artifacts are not masked, as well as logs that are shared between developers for diagnostics.
The vulnerability is triggered only if there is a condition that causes the frontend build to exit with a non-zero status, which is not common when building Vaadin applications.
The issue is mitigated in fixed Vaadin versions by running the frontend build in a way that doesn't include environment variable values in debug output.
Because the build environment might contain credentials supplied as secrets, any failed frontend build exposes those secrets in clear text. Although CI providers apply secret masking to their logs, manually archived build logs in artifacts are not masked, as well as logs that are shared between developers for diagnostics.
The vulnerability is triggered only if there is a condition that causes the frontend build to exit with a non-zero status, which is not common when building Vaadin applications.
The issue is mitigated in fixed Vaadin versions by running the frontend build in a way that doesn't include environment variable values in debug output.
Affected products and mitigation
Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:
| Product version | Mitigation |
|---|---|
|
Vaadin 23.0.0 - 23.6.9
|
Upgrade to 23.6.10
|
|
Vaadin 24.0.0 - 24.10.3
|
Upgrade to 24.10.4 or newer
|
|
Vaadin 25.0.0 - 25.1.4
|
Upgrade to 25.1.5 or newer |
Vaadin 14 is not affected.
Artifacts
| Maven coordinates | Vulnerable version | Fixed version |
|---|---|---|
| com.vaadin:flow-plugin-base | 23.0.0 - 23.6.10 | ≥ 23.6.11 |
| com.vaadin:flow-plugin-base | 24.0.0 - 24.10.3 | ≥ 24.10.4 |
| com.vaadin:flow-plugin-base | 25.0.0 - 25.1.4 | ≥ 25.1.5 |
| com.vaadin:flow-maven-plugin | 23.0.0 - 23.6.10 | ≥ 23.6.11 |
| com.vaadin:flow-maven-plugin |
24.0.0 - 24.10.3
|
≥ 24.10.4 |
| com.vaadin:flow-maven-plugin |
25.0.0 - 25.1.4
|
≥ 25.1.5 |
| com.vaadin:flow-maven-plugin | 24.0.0 - 24.10.3 | ≥ 24.10.4 |
| com.vaadin:flow-maven-plugin |
25.0.0 - 25.1.4
|
≥ 25.1.5 |
References
History
- 2026-05-19: Initial vulnerability report published