{"id":"CVE-2019-25027","details":"Missing output sanitization in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.10 (Vaadin 10.0.0 through 10.0.13), and 1.1.0 through 1.4.2 (Vaadin 11.0.0 through 13.0.5) allows attacker to execute malicious JavaScript via crafted URL","aliases":["GHSA-rp4x-wxqv-cf9m"],"modified":"2026-04-11T21:02:33.087106Z","published":"2021-04-23T16:15:07.987Z","references":[{"type":"ADVISORY","url":"https://vaadin.com/security/cve-2019-25027"},{"type":"FIX","url":"https://github.com/vaadin/flow/pull/5498"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/vaadin/flow","events":[{"introduced":"3cd0c02025aba6de6fd78a8ea65c67483a721b4e"},{"fixed":"96ebe74d7819acea6bf720ad39af1d12132a8956"},{"introduced":"6b0da5b1d88e4541bebb4f26ef799b3f407bb74e"},{"fixed":"5e286e8a313fb5a8060caa57e6bffaa2a416010d"}],"database_specific":{"extracted_events":[{"introduced":"1.0.0"},{"fixed":"1.0.11"},{"introduced":"1.1.0"},{"fixed":"1.4.3"}],"cpe":"cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*","source":"CPE_FIELD"}}],"versions":["1.0.0","1.0.1","1.0.10","1.0.2","1.0.3","1.0.4","1.0.5","1.0.6","1.0.7","1.0.8","1.0.9","1.1.0","1.2.0","1.2.0.alpha1","1.2.0.beta1","1.2.0.beta2","1.3.0","1.3.0.beta1","1.3.0.beta2","1.4.0","1.4.1","1.4.2"],"database_specific":{"vanir_signatures_modified":"2026-04-11T21:02:33Z","vanir_signatures":[{"digest":{"line_hashes":["261953307091429512020813919124974003204","329533054537719354414092760958815002704","313930173888583270381484067923183456160","162146791431649347363597301744334728147","242797645317436500196535946665471567281","286910172304206219900340701977937062437","278181443505157423786147500441283476047","303837510556439872409158675732397683248","153768064545624599271116704130548139556","109483147727043905708274744426371902544","259870548858588817648333372768790484811","325017224019585151779266844960186116358","106226419683089484003885099097620599339","329760685973920828001511732786776132401","158446089771610535504004077417513645932","278220728157201837614615789759340673763","124408381347879013080958365972561941930","154785131295333403489954052243911469192","135046169291699858826297569535737011561"],"threshold":0.9},"signature_type":"Line","deprecated":false,"target":{"file":"flow-server/src/main/java/com/vaadin/flow/component/UI.java"},"signature_version":"v1","id":"CVE-2019-25027-724dc12d","source":"https://github.com/vaadin/flow/commit/96ebe74d7819acea6bf720ad39af1d12132a8956"}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-25027.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/vaadin/vaadin","events":[{"introduced":"7ac406600a3c1a228e15ba253fe844f7e13771a0"},{"fixed":"87226bac2c34d04093ee7753c52e9b210527fbd6"},{"introduced":"75cb16838a5b87c6e1a15b9e453e0d7c90cc1d53"},{"fixed":"d0531adfcb36dcfd65651b1877852f115a87a0ce"}],"database_specific":{"extracted_events":[{"introduced":"10.0.0"},{"fixed":"10.0.14"},{"introduced":"11.0.0"},{"fixed":"13.0.6"}],"cpe":"cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*","source":"CPE_FIELD"}}],"versions":["v10.0.0","v10.0.1","v10.0.10","v10.0.11","v10.0.12","v10.0.13","v10.0.2","v10.0.3","v10.0.4","v10.0.5","v10.0.6","v10.0.7","v10.0.8","v10.0.9","v11.0.0-alpha1","v11.0.0-beta1","v12.0.0","v12.0.0-alpha1","v12.0.0-alpha2","v12.0.0-alpha3","v12.0.0-alpha4","v12.0.0-alpha5","v12.0.0-beta1","v12.0.0-beta2","v12.0.1","v12.0.2","v13.0.0","v13.0.0-alpha1","v13.0.0-alpha2","v13.0.0-alpha3","v13.0.0-alpha4","v13.0.0-beta1","v13.0.0-beta2","v13.0.0-beta3","v13.0.1","v13.0.2","v13.0.3","v13.0.4","v13.0.5"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-25027.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}