VulnerableCode Package Details - pkg:maven/com.vaadin/flow-server@3.0.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-kkf3-sqmf-f3ft Aliases: GHSA-fr26-qjc8-mvjx GMS-2021-142	Possible route enumeration in production mode via RouteNotFoundError view in Vaadin 10, 11-14, and 15-19 Improper sanitization of path in default `RouteNotFoundError` view in `com.vaadin:flow-server` versions 1.0.0 through 1.0.14 (Vaadin 10.0.0 through 10.0.18), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), and 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows network attacker to enumerate all available routes via crafted HTTP request when application is running in production mode and no custom handler for `NotFoundException` is provided.	6.0.10 Affected by 0 other vulnerabilities.
VCID-qdgn-1rqg-vuae Aliases: CVE-2023-25499 GHSA-5f9v-mv5g-jh5q	Exposure of Sensitive Information to an Unauthorized Actor When adding non-visible components to the UI in server side, content is sent to the browser in Vaadin 10.0.0 through 10.0.22, 11.0.0 through 14.10.0, 15.0.0 through 22.0.28, 23.0.0 through 23.3.12, 24.0.0 through 24.0.5 and 24.1.0.alpha1 to 24.1.0.beta1, resulting in potential information disclosure.	9.1.1 Affected by 0 other vulnerabilities. 23.3.11 Affected by 0 other vulnerabilities. 24.0.8 Affected by 0 other vulnerabilities.
VCID-tfwa-kphb-j3b8 Aliases: CVE-2023-25500 GHSA-ch48-9r3q-pv7x	Exposure of Sensitive Information to an Unauthorized Actor Possible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6, 24.1.0.alpha1 to 24.1.0.rc2, resulting in potential information disclosure of class and method names in RPC responses by sending modified requests.	9.1.2 Affected by 0 other vulnerabilities. 23.3.13 Affected by 0 other vulnerabilities. 24.0.9 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-kkf3-sqmf-f3ft
Aliases:
GHSA-fr26-qjc8-mvjx
GMS-2021-142

Possible route enumeration in production mode via RouteNotFoundError view in Vaadin 10, 11-14, and 15-19 Improper sanitization of path in default `RouteNotFoundError` view in `com.vaadin:flow-server` versions 1.0.0 through 1.0.14 (Vaadin 10.0.0 through 10.0.18), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), and 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows network attacker to enumerate all available routes via crafted HTTP request when application is running in production mode and no custom handler for `NotFoundException` is provided.

6.0.10
Affected by 0 other vulnerabilities.

VCID-qdgn-1rqg-vuae
Aliases:
CVE-2023-25499
GHSA-5f9v-mv5g-jh5q

Exposure of Sensitive Information to an Unauthorized Actor When adding non-visible components to the UI in server side, content is sent to the browser in Vaadin 10.0.0 through 10.0.22, 11.0.0 through 14.10.0, 15.0.0 through 22.0.28, 23.0.0 through 23.3.12, 24.0.0 through 24.0.5 and 24.1.0.alpha1 to 24.1.0.beta1, resulting in potential information disclosure.

9.1.1
Affected by 0 other vulnerabilities.

23.3.11
Affected by 0 other vulnerabilities.

24.0.8
Affected by 0 other vulnerabilities.

VCID-tfwa-kphb-j3b8
Aliases:
CVE-2023-25500
GHSA-ch48-9r3q-pv7x

Exposure of Sensitive Information to an Unauthorized Actor Possible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6, 24.1.0.alpha1 to 24.1.0.rc2, resulting in potential information disclosure of class and method names in RPC responses by sending modified requests.

9.1.2
Affected by 0 other vulnerabilities.

23.3.13
Affected by 0 other vulnerabilities.

24.0.9
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-02T04:45:09.558782+00:00	GitLab Importer	Affected by	VCID-qdgn-1rqg-vuae	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.vaadin/flow-server/CVE-2023-25499.yml	38.6.0
2026-06-02T04:45:09.416717+00:00	GitLab Importer	Affected by	VCID-tfwa-kphb-j3b8	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.vaadin/flow-server/CVE-2023-25500.yml	38.6.0
2026-06-02T04:40:14.390262+00:00	GitLab Importer	Affected by	VCID-kkf3-sqmf-f3ft	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.vaadin/flow-server/GMS-2021-142.yml	38.6.0