CVE-2018-25007— Unauthorized client-side property update in UIDL request handler in Vaadin 10 and 11

CVSS 2.6 · Low EPSS 0.29% · P52 Updated Feb 21, 2026

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2018-25007

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Unauthorized client-side property update in UIDL request handler in Vaadin 10 and 11

Source: NVD (National Vulnerability Database)

Vulnerability Description

Missing check in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.5 (Vaadin 10.0.0 through 10.0.7, and 11.0.0 through 11.0.2) allows attacker to update element property values via crafted synchronization message.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N

Source: NVD (National Vulnerability Database)

Vulnerability Type

对因果或异常条件的不恰当检查

Source: NVD (National Vulnerability Database)

Vulnerability Title

Vaadin flow 代码问题漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

Vaadin flow是一个应用软件。Vaadin平台的Java框架，用于构建外观美观，性能良好并让您和您的用户感到满意的现代网站。 vaadin:flow-server versions 1.0.0版本至1.0.5版本存在代码问题漏洞，该漏洞源于UIDL请求处理程序中缺少检查。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
Vaadin	Vaadin	10.0.0 ~ *	-
Vaadin	flow-server	1.0.0 ~ *	-

II. Public POCs for CVE-2018-25007

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2018-25007

Please Login to view more intelligence information

https://vaadin.com/security/cve-2018-25007x_refsource_MISC
https://github.com/vaadin/flow/pull/4774x_refsource_MISC
https://nvd.nist.gov/vuln/detail/CVE-2018-25007

Same Patch Batch · Vaadin · 2021-04-23 · 13 CVEs total

CVE-2021-31407	8.6 HIGH	Server classes and resources exposure in OSGi applications using Vaadin 12-14 and 19
CVE-2021-31410	8.6 HIGH	Project sources exposure in Vaadin Designer
CVE-2020-36320	7.5 HIGH	Regular expression Denial of Service (ReDoS) in EmailValidator class in Vaadin 7
CVE-2021-31405	7.5 HIGH	Regular expression denial of service (ReDoS) in EmailField component in Vaadin 14 and 15-1
CVE-2021-31408	6.3 MEDIUM	Server session is not invalidated when logout() helper method of Authentication module is
CVE-2019-25027	6.1 MEDIUM	Reflected cross-site scripting in default RouteNotFoundError view in Vaadin 10 and 11-13
CVE-2020-36321	5.9 MEDIUM	Directory traversal in development mode handler in Vaadin 14 and 15-17
CVE-2019-25028	5.4 MEDIUM	Stored cross-site scripting in Grid component in Vaadin 7 and 8
CVE-2021-31403	4.0 MEDIUM	Timing side channel vulnerability in UIDL request handler in Vaadin 7 and 8
CVE-2021-31404	4.0 MEDIUM	Timing side channel vulnerability in UIDL request handler in Vaadin 10, 11-14, and 15-18
CVE-2021-31406	4.0 MEDIUM	Timing side channel vulnerability in endpoint request handler in Vaadin 15-19
CVE-2020-36319	3.1 LOW	Potential sensitive data exposure in applications using Vaadin 15

IV. Related Vulnerabilities

Same product: Vaadin

Same vendor: Vaadin

Same weakness: CWE-754

V. Comments for CVE-2018-25007

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2018-25007— Unauthorized client-side property update in UIDL request handler in Vaadin 10 and 11

I. Basic Information for CVE-2018-25007

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2018-25007

III. Intelligence Information for CVE-2018-25007

Same Patch Batch · Vaadin · 2021-04-23 · 13 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2018-25007

Leave a comment