{"id":"CVE-2018-25007","details":"Missing check in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.5 (Vaadin 10.0.0 through 10.0.7, and 11.0.0 through 11.0.2) allows attacker to update element property values via crafted synchronization message.","aliases":["GHSA-jmx8-355m-8vwh"],"modified":"2026-04-11T21:32:07.996897Z","published":"2021-04-23T16:15:07.933Z","references":[{"type":"ADVISORY","url":"https://vaadin.com/security/cve-2018-25007"},{"type":"FIX","url":"https://github.com/vaadin/flow/pull/4774"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/vaadin/flow","events":[{"introduced":"3cd0c02025aba6de6fd78a8ea65c67483a721b4e"},{"fixed":"894baa477588a9d1f09bb0e0442ce84f37263464"}],"database_specific":{"source":"CPE_FIELD","extracted_events":[{"introduced":"1.0.0"},{"fixed":"1.0.6"}],"cpe":"cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*"}}],"versions":["1.0.0","1.0.1","1.0.2","1.0.3","1.0.4","1.0.5"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-25007.json","vanir_signatures":[{"source":"https://github.com/vaadin/flow/commit/894baa477588a9d1f09bb0e0442ce84f37263464","deprecated":false,"target":{"file":"flow-server/src/test/java/com/vaadin/flow/component/polymertemplate/PolymerTemplateTest.java","function":"parseCachedTemplate_twoTemplatesWithInjetions_injectionsAreRegisteredInFeature"},"id":"CVE-2018-25007-0faafb9d","digest":{"function_hash":"309254529317160109978744765093909497398","length":1113},"signature_type":"Function","signature_version":"v1"},{"source":"https://github.com/vaadin/flow/commit/894baa477588a9d1f09bb0e0442ce84f37263464","deprecated":false,"target":{"file":"flow-server/src/test/java/com/vaadin/flow/component/polymertemplate/PolymerTemplateTest.java","function":"IdElementTemplate"},"id":"CVE-2018-25007-24c3e45b","digest":{"function_hash":"230294542000640822027397291340549293878","length":164},"signature_type":"Function","signature_version":"v1"},{"source":"https://github.com/vaadin/flow/commit/894baa477588a9d1f09bb0e0442ce84f37263464","deprecated":false,"target":{"file":"flow-server/src/test/java/com/vaadin/flow/component/polymertemplate/PolymerTemplateTest.java","function":"TemplateWithChildInDomRepeat"},"id":"CVE-2018-25007-45c86149","digest":{"function_hash":"303032286365044452429978902939442486945","length":270},"signature_type":"Function","signature_version":"v1"},{"source":"https://github.com/vaadin/flow/commit/894baa477588a9d1f09bb0e0442ce84f37263464","deprecated":false,"target":{"file":"flow-server/src/test/java/com/vaadin/flow/component/polymertemplate/PolymerTemplateTest.java","function":"TemplateInTemplate"},"id":"CVE-2018-25007-4c5b875d","digest":{"function_hash":"328149685000126517100438396288577367696","length":162},"signature_type":"Function","signature_version":"v1"},{"source":"https://github.com/vaadin/flow/commit/894baa477588a9d1f09bb0e0442ce84f37263464","deprecated":false,"target":{"file":"flow-server/src/main/java/com/vaadin/flow/component/polymertemplate/TemplateDataAnalyzer.java","function":"head"},"id":"CVE-2018-25007-541fc1f2","digest":{"function_hash":"295074943548128195237303468521814680835","length":241},"signature_type":"Function","signature_version":"v1"},{"source":"https://github.com/vaadin/flow/commit/894baa477588a9d1f09bb0e0442ce84f37263464","deprecated":false,"target":{"file":"flow-server/src/test/java/com/vaadin/flow/component/polymertemplate/PolymerTemplateTest.java","function":"BundledTemplateInTemplate"},"id":"CVE-2018-25007-6004c4d7","digest":{"function_hash":"250768283966778343512729266481122691459","length":352},"signature_type":"Function","signature_version":"v1"},{"source":"https://github.com/vaadin/flow/commit/894baa477588a9d1f09bb0e0442ce84f37263464","deprecated":false,"target":{"file":"flow-server/src/test/java/com/vaadin/flow/component/polymertemplate/PolymerTemplateTest.java","function":"getTemplateContent"},"id":"CVE-2018-25007-6637e952","digest":{"function_hash":"89011873543828274818332082117494356960","length":499},"signature_type":"Function","signature_version":"v1"},{"source":"https://github.com/vaadin/flow/commit/894baa477588a9d1f09bb0e0442ce84f37263464","deprecated":false,"target":{"file":"flow-server/src/test/java/com/vaadin/flow/component/polymertemplate/PolymerTemplateTest.java","function":"setUp"},"id":"CVE-2018-25007-79d4b19b","digest":{"function_hash":"16269345403540832709411605441695316497","length":848},"signature_type":"Function","signature_version":"v1"},{"source":"https://github.com/vaadin/flow/commit/894baa477588a9d1f09bb0e0442ce84f37263464","deprecated":false,"target":{"file":"flow-server/src/test/java/com/vaadin/flow/component/polymertemplate/PolymerTemplateTest.java","function":"ExecutionOrder"},"id":"CVE-2018-25007-7c3284d7","digest":{"function_hash":"199744405677960256179826052955650292843","length":173},"signature_type":"Function","signature_version":"v1"},{"source":"https://github.com/vaadin/flow/commit/894baa477588a9d1f09bb0e0442ce84f37263464","deprecated":false,"target":{"file":"flow-server/src/main/java/com/vaadin/flow/component/polymertemplate/TemplateDataAnalyzer.java","function":"inspectTwoWayBindings"},"id":"CVE-2018-25007-8d132544","digest":{"function_hash":"257421466117554992974656102548395812946","length":466},"signature_type":"Function","signature_version":"v1"},{"source":"https://github.com/vaadin/flow/commit/894baa477588a9d1f09bb0e0442ce84f37263464","deprecated":false,"target":{"file":"flow-server/src/test/java/com/vaadin/flow/component/polymertemplate/PolymerTemplateTest.java"},"id":"CVE-2018-25007-91830438","digest":{"threshold":0.9,"line_hashes":["298089347245261224740321253065826994335","186198978410790920875122811898054089898","21952615406179746750700951766337702907","184486080046520611114001651704324598814","244827579485265019966665695788011310993","262362589193713960370827979970852997279","219129510406669791578366380803894900782","17009800162955092351500294231755934988","339681126760081074007602882829601304610","191858904403095657800138958235945067661","324820405712025126414835629118243472367","68884367277563326111857801634052709552","186460068313709534824046521401818841451","224301604506202064207533652946541944069","323140523891755966178811713540556546928","21335763863424313735672488488786953988","274495571705479901970113965594344028979","46829916983729473357487696993283977926","262315594651116045872693402276294116723","334955913145157393518414195737190934542","255886316437089161526042370899634071376","80985418369200448503530664277698262275","186771752503785958202804018800655770171","252355614304530826544761355520138086442","177570870422282704870820178216392389498","124738485358123016996453907451243047966","141877087956878417293897410148063506854","107849598228090087725094348395629887521","214356700405373514476260243026173658265","153574326465535324135986036784884320442","104669160841206478282716478650240969650","284186165711424604193826842417480219814","312109643813576908444668198256173572090","94553712842747168819264900688897002133","133223188575194580509696404538824681097","157915399923818059467296207961075277910","28776501075093293301487737149927280969","107835296728670780524422153719704141421","332578251405851967099409150518098531252","339441823757630311406086261711251574824","24163721874551906643713717539491448858","254459886200515902163842957408287786110","234296845856971958240321677308897511839","12567707883259977806529051458661903045","124596177139765322559760365981802261750","15259414305192077191597728735315372838","259836864135558194918870963056570008184","83895110301187301603446876096445052833","83925204316969867372045933144705834411"]},"signature_type":"Line","signature_version":"v1"},{"source":"https://github.com/vaadin/flow/commit/894baa477588a9d1f09bb0e0442ce84f37263464","deprecated":false,"target":{"file":"flow-server/src/test/java/com/vaadin/flow/component/polymertemplate/PolymerTemplateTest.java","function":"SimpleTemplateParser"},"id":"CVE-2018-25007-918c48df","digest":{"function_hash":"271338877315283448777396590351639960648","length":80},"signature_type":"Function","signature_version":"v1"},{"source":"https://github.com/vaadin/flow/commit/894baa477588a9d1f09bb0e0442ce84f37263464","deprecated":false,"target":{"file":"flow-server/src/test/java/com/vaadin/flow/component/polymertemplate/PolymerTemplateTest.java","function":"parseTemplate_hasChildTemplateAndTemplateHtmlStyle_elementIsCreatedAndSetAsVirtualChild"},"id":"CVE-2018-25007-9de4eb1d","digest":{"function_hash":"207264139625159891860614014323262031142","length":243},"signature_type":"Function","signature_version":"v1"},{"source":"https://github.com/vaadin/flow/commit/894baa477588a9d1f09bb0e0442ce84f37263464","deprecated":false,"target":{"file":"flow-server/src/main/java/com/vaadin/flow/component/polymertemplate/DefaultTemplateParser.java"},"id":"CVE-2018-25007-b44eeb1a","digest":{"threshold":0.9,"line_hashes":["70875497824335303735318466291242066116","52270939211813367629320861361633674099","290355618636866370850816011946237234580","85284835111303739450198565533371430750"]},"signature_type":"Line","signature_version":"v1"},{"source":"https://github.com/vaadin/flow/commit/894baa477588a9d1f09bb0e0442ce84f37263464","deprecated":false,"target":{"file":"flow-server/src/main/java/com/vaadin/flow/component/polymertemplate/TemplateDataAnalyzer.java"},"id":"CVE-2018-25007-cce4edf6","digest":{"threshold":0.9,"line_hashes":["33718312277920235412275887533042091215","208922664964465314531575950054812174951","260438801600315093504825818126627644142","38004184092546674449619745992114374545"]},"signature_type":"Line","signature_version":"v1"},{"source":"https://github.com/vaadin/flow/commit/894baa477588a9d1f09bb0e0442ce84f37263464","deprecated":false,"target":{"file":"flow-server/src/main/java/com/vaadin/flow/component/polymertemplate/DefaultTemplateParser.java","function":"removeCommentsRecursively"},"id":"CVE-2018-25007-ff179963","digest":{"function_hash":"14811737297873402565908535305403628658","length":235},"signature_type":"Function","signature_version":"v1"}],"vanir_signatures_modified":"2026-04-11T21:32:07Z"}},{"ranges":[{"type":"GIT","repo":"https://github.com/vaadin/vaadin","events":[{"introduced":"7ac406600a3c1a228e15ba253fe844f7e13771a0"},{"fixed":"bc1efba687e0043bdf892ecbd59a8592ae4222f5"},{"introduced":"75cb16838a5b87c6e1a15b9e453e0d7c90cc1d53"},{"fixed":"4a04530dfe7f9de6b0d57df0441087e60251cb25"}],"database_specific":{"source":"CPE_FIELD","extracted_events":[{"introduced":"10.0.0"},{"fixed":"10.0.8"},{"introduced":"11.0.0"},{"fixed":"11.0.3"}],"cpe":"cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*"}}],"versions":["v10.0.0","v10.0.1","v10.0.2","v10.0.3","v10.0.4","v10.0.5","v10.0.6","v10.0.7","v11.0.0","v11.0.1","v11.0.2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-25007.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}]}