Plattform
java
Komponente
com.vaadin:flow-project
Behoben in
14.14.1
23.6.7
24.9.9
25.0.3
2.13.1
23.6.8
24.9.10
25.0.4
14.14.1
CVE-2026-2741 describes a path traversal vulnerability affecting the Vaadin Flow Project. This vulnerability allows an attacker who can intercept or control Node.js downloads during the build process to write files outside the intended extraction directory. The vulnerability impacts versions 14.2.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.8, and 25.0.0 through 25.0.2. A fix is available in version 14.14.1.
This vulnerability arises from the way Vaadin’s build process handles Node.js downloads. If an attacker can intercept or control the download process—through techniques like DNS hijacking, a man-in-the-middle (MITM) attack, a compromised mirror, or a supply chain attack—they can serve a malicious ZIP archive. This archive would contain path traversal sequences designed to write files to arbitrary locations on the system. The potential impact includes overwriting critical system files, injecting malicious code, or gaining unauthorized access to sensitive data. While the CVSS score is LOW, the potential for supply chain compromise elevates the risk, as attackers could target the download infrastructure to affect numerous downstream users.
This vulnerability was publicly disclosed on 2026-03-10. There is currently no indication of active exploitation in the wild, and no public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. Given the relatively low CVSS score and lack of public exploits, the probability of exploitation is considered low to medium.
Organizations using Vaadin Flow Project in their web applications, particularly those relying on automated Node.js downloads during the build process, are at risk. Shared hosting environments where users have limited control over the build process are also particularly vulnerable.
• java / server:
find /path/to/vaadin/installation -name "flow-project*" -type d -print0 | xargs -0 grep -i 'path traversal'• generic web:
curl -I <your_vaadin_application_url> | grep -i 'X-Content-Type-Options: nosniff'disclosure
Exploit-Status
EPSS
0.06% (19% Perzentil)
CISA SSVC
The primary mitigation is to upgrade to version 14.14.1 or later of the Vaadin Flow Project. If an immediate upgrade is not feasible, consider implementing temporary workarounds. Verify the integrity of Node.js downloads by using checksum verification or digital signatures. Implement strict network segmentation to limit the potential impact of a compromised download. Consider using a Web Application Firewall (WAF) to filter out malicious ZIP archives containing path traversal sequences. Monitor system logs for unusual file creation or modification activity, particularly in unexpected directories.
Aktualisieren Sie Vaadin auf die Version 14.14.1, 23.6.7, 24.9.9 oder 25.0.3 oder höher, je nach Ihrer aktuellen Version. Alternativ verwenden Sie eine global vorinstallierte Node.js-Version, die mit Ihrer Vaadin-Version kompatibel ist.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-2741 is a path traversal vulnerability in Vaadin Flow Project allowing attackers to write files outside the intended directory during Node.js downloads.
You are affected if you are using Vaadin Flow Project versions 14.2.0-14.14.0, 23.0.0-23.6.6, 24.0.0-24.9.8, or 25.0.0-25.0.2.
Upgrade to version 14.14.1 or later of Vaadin Flow Project. Consider workarounds like checksum verification if immediate upgrade isn't possible.
There are currently no known public exploits or active campaigns targeting CVE-2026-2741.
Refer to the official Vaadin security advisory for CVE-2026-2741 on the Vaadin website.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine pom.xml-Datei hoch und wir sagen dir sofort, ob du betroffen bist.