CVE-2023-25500

LOW

Vaadin < 10.0.23 - Information Disclosure

Title source: rule

Description

Possible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6, 24.1.0.alpha1 to 24.1.0.rc2, resulting in potential information disclosure of class and method names in RPC responses by sending modified requests.

References (2)

Core 2

Core References

Patch

https://github.com/vaadin/flow/pull/16935

Vendor Advisory

https://vaadin.com/security/cve-2023-25500

Scores

CVSS v3 3.5

EPSS 0.0051

EPSS Percentile 39.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-200

Status published

Products (4)

com.vaadin/flow-server 1.0.0 - 1.0.21Maven

com.vaadin/vaadin 10.0.0 - 10.0.24Maven

vaadin/vaadin 24.1.0 alpha1 (11 CPE variants)

vaadin/vaadin 10.0.0 - 10.0.23

Published Jun 22, 2023

Tracked Since Feb 18, 2026