Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
2.3
Vaadin: Malicious ZIP archives can write to wrong files on your server
CVE-2026-2741
GHSA-8jrh-7jg8-fvmv
Summary
A security issue affects Vaadin versions 14, 23, 24, and 25, where maliciously crafted ZIP archives can write files to unintended locations on your server. This can happen if an attacker intercepts or controls the download of Node.js. To fix this, use a locally installed Node.js version or update your Vaadin version to the latest 14.14.1, 23.6.7, 24.9.9, or 25.0.3 and newer.
What to do
- Update com.vaadin:flow-project to version 14.14.1.
- Update com.vaadin:flow-project to version 23.6.7.
- Update com.vaadin:flow-project to version 24.9.9.
- Update com.vaadin:flow-project to version 25.0.3.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | com.vaadin:flow-project | > 14.2.0 , <= 14.14.0 | 14.14.1 |
| – | com.vaadin:flow-project | > 23.0.0 , <= 23.6.6 | 23.6.7 |
| – | com.vaadin:flow-project | > 24.0.0 , <= 24.9.8 | 24.9.9 |
| – | com.vaadin:flow-project | > 25.0.0 , <= 25.0.2 | 25.0.3 |
Original title
Vaadin: Specially crafted ZIP archives can escape the intended extraction directory
Original description
Specially crafted ZIP archives can escape the intended extraction directory during Node.js download and extraction in Vaadin 14.2.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.8, and 25.0.0 through 25.0.2.
Vaadin’s build process can automatically download and extract Node.js if it is not installed locally. If an attacker can intercept or control this download via DNS hijacking, a MITM attack, a compromised mirror, or a supply chain attack, they can serve a malicious archive containing path traversal sequences that write files outside the intended extraction directory.
Users of affected versions should use a globally preinstalled Node.js version compatible with their Vaadin version, or upgrade as follows: 14.2.0-14.14.0 to 14.14.1, 23.0.0-23.6.6 to 23.6.7, 24.0.0-24.9.8 to 24.9.9, and 25.0.0-25.0.2 to 25.0.3 or newer.
Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24, 25 version.
Vaadin’s build process can automatically download and extract Node.js if it is not installed locally. If an attacker can intercept or control this download via DNS hijacking, a MITM attack, a compromised mirror, or a supply chain attack, they can serve a malicious archive containing path traversal sequences that write files outside the intended extraction directory.
Users of affected versions should use a globally preinstalled Node.js version compatible with their Vaadin version, or upgrade as follows: 14.2.0-14.14.0 to 14.14.1, 23.0.0-23.6.6 to 23.6.7, 24.0.0-24.9.8 to 24.9.9, and 25.0.0-25.0.2 to 25.0.3 or newer.
Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24, 25 version.
nvd CVSS4.0
2.3
Vulnerability type
CWE-22
Path Traversal
- https://nvd.nist.gov/vuln/detail/CVE-2026-2741
- https://github.com/advisories/GHSA-8jrh-7jg8-fvmv
- https://github.com/vaadin/flow/pull/23125
- https://github.com/vaadin/flow/pull/23130
- https://github.com/vaadin/flow/pull/23131
- https://github.com/vaadin/flow/pull/23133
- https://github.com/vaadin/flow/pull/23135
- https://vaadin.com/security/cve-2026-2741
Published: 10 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026