Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-pzs6-2td6-vfee
Vulnerability ID VCID-pzs6-2td6-vfee
Aliases CVE-2018-25007
GHSA-jmx8-355m-8vwh
Summary Improper Check for Unusual or Exceptional Conditions Missing check in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.5 (Vaadin 10.0.0 through 10.0.7, and 11.0.0 through 11.0.2) allows attacker to update element property values via crafted synchronization message.
Status Published
Exploitability 0.5
Weighted Severity 2.7
Risk 1.4
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-754 Improper Check for Unusual or Exceptional Conditions
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00288 https://api.first.org/data/v1/epss?cve=CVE-2018-25007
cvssv3.1 2.6 https://github.com/vaadin/flow/pull/4774
generic_textual LOW https://github.com/vaadin/flow/pull/4774
cvssv3.1 2.6 https://github.com/vaadin/flow/security/advisories/GHSA-jmx8-355m-8vwh
generic_textual LOW https://github.com/vaadin/flow/security/advisories/GHSA-jmx8-355m-8vwh
cvssv3.1 2.6 https://nvd.nist.gov/vuln/detail/CVE-2018-25007
generic_textual LOW https://nvd.nist.gov/vuln/detail/CVE-2018-25007
cvssv3.1 2.6 https://vaadin.com/security/cve-2018-25007
generic_textual LOW https://vaadin.com/security/cve-2018-25007
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2018-25007
https://github.com/vaadin/flow/pull/4774
CVE-2018-25007 https://nvd.nist.gov/vuln/detail/CVE-2018-25007
CVE-2018-25007 https://vaadin.com/security/cve-2018-25007
GHSA-jmx8-355m-8vwh https://github.com/advisories/GHSA-jmx8-355m-8vwh
GHSA-jmx8-355m-8vwh https://github.com/vaadin/flow/security/advisories/GHSA-jmx8-355m-8vwh
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N Found at https://github.com/vaadin/flow/pull/4774
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N Found at https://github.com/vaadin/flow/security/advisories/GHSA-jmx8-355m-8vwh
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2018-25007
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N Found at https://vaadin.com/security/cve-2018-25007
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.52459
EPSS Score 0.00288
Published At June 4, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-04T16:21:02.985025+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.vaadin/flow-server/CVE-2018-25007.yml 38.6.0