{"id":"CVE-2021-31405","details":"Unsafe validation RegEx in EmailField component in com.vaadin:vaadin-text-field-flow versions 2.0.4 through 2.3.2 (Vaadin 14.0.6 through 14.4.3), and 3.0.0 through 4.0.2 (Vaadin 15.0.0 through 17.0.10) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses.","aliases":["GHSA-2wqp-jmcc-mc77"],"modified":"2026-05-18T05:52:58.805741766Z","published":"2021-04-23T16:15:08.687Z","database_specific":{},"references":[{"type":"ADVISORY","url":"https://vaadin.com/security/cve-2021-31405"},{"type":"FIX","url":"https://github.com/vaadin/flow-components/pull/442"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/vaadin/flow","events":[{"introduced":"5d3f8fc64cc7fb1af253e07c987fd95f6cab4881"},{"fixed":"1b08b7c688d90e051d74628054ad4cc006e7312e"},{"introduced":"4b6ca4330163c4e976b32d03880fe2154a9d1ca7"},{"fixed":"555d8ec6a948409588da228130ef5acace25e21b"}],"database_specific":{"source":"CPE_FIELD","extracted_events":[{"introduced":"2.0.4"},{"fixed":"2.3.3"},{"introduced":"3.0.0"},{"fixed":"4.0.3"}],"cpe":"cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*"}}],"versions":["4.0.2","4.0.1","4.0.0","4.0.0.rc1","4.0.0.beta2","4.0.0.beta1","2.3.2","4.0.0.alpha3","2.3.1","4.0.0.alpha2","2.3.0","4.0.0.alpha1","2.3.0.beta3","2.3.0.beta2","3.2.0.alpha7","2.3.0.beta1","3.2.0.alpha6","3.2.0.alpha5","3.2.0.alpha4","2.3.0.alpha1","2.2.0.rc1","3.2.0.alpha3","2.2.0.beta2","3.2.0.alpha2","2.2.0.beta1","3.2.0.alpha1","2.2.0.alpha16","2.2.0.alpha15","2.2.0.alpha14","3.0.0.beta2","2.2.alpha14","3.0.0.beta4","3.0.0.beta3","2.2.0.alpha13","3.0.0.beta1","3.0.0.alpha17","2.2.0.alpha12","2.2.0.alpha11","2.2.0.alpha10","2.2.0.alpha9","2.2.0.alpha8","2.2.0.alpha7","2.2.0.alpha6","2.2.0.alpha5","2.2.0.alpha4","2.2.0.alpha3","2.2.0.alpha2","2.2.0.alpha1","2.1.0.beta3","3.0.0.alpha5","2.1.0.beta1","2.1.0.alpha1","2.0.8","2.0.7","2.0.6","2.0.5","2.0.4"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-31405.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/vaadin/platform","events":[{"introduced":"268ab5a9ba6ff9a921922189f2ebe8d375a4c7a0"},{"fixed":"eea42fed42df6e55e99ba3d0042d25f0ae11e18c"},{"introduced":"354ad0186b5e61b548adad84de03af297dc6f2a6"},{"fixed":"8f6f8f36faac4ef2a28d115ad95a638638e78589"}],"database_specific":{"source":"CPE_FIELD","extracted_events":[{"introduced":"14.0.6"},{"fixed":"14.4.4"},{"introduced":"15.0.0"},{"fixed":"17.0.11"}],"cpe":"cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*"}}],"versions":["17.0.10","17.0.9","17.0.8","17.0.7","17.0.6","17.0.4","17.0.3","17.0.2","17.0.1","17.0.0","17.0.0.rc2","17.0.0.rc1","17.0.0.beta3","17.0.0.beta2","17.0.0.beta1","17.0.0.alpha7","17.0.0.alpha6","16.0.1","17.0.0.alpha5","17.0.0.alpha4","17.0.0.alpha3","17.0.0.alpha2","16.0.0.alpha3","16.0.0.alpha2","16.0.0.alpha1","15.0.0.rc1","15.0.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-31405.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/vaadin/vaadin","events":[{"introduced":"5521426214d9e12c3c5ec0db5a3d11afba50517f"},{"fixed":"3411feab4bba930a1b2f0e2067d749708e652359"},{"introduced":"9efda1b1e0a27769eef9292dd7799d8fea77e633"},{"fixed":"2a6e1401b8e151e365ad8867ed1d127c5a4d1799"}],"database_specific":{"source":"CPE_FIELD","extracted_events":[{"introduced":"14.0.6"},{"fixed":"14.4.4"},{"introduced":"15.0.0"},{"fixed":"17.0.11"}],"cpe":"cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*"}}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-31405.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}