Possibility to bypass file upload validation on the server-side

Support
#1

Hi team,

I noticed Vaadin recently published a security advisory:
:point_right: [CVE-2025-9467 – Possibility to bypass file upload validation on the server side]

https://vaadin.com/security/cve-2025-9467-possibility-to-bypass-file-upload-validation-on-the-server-side

Since Jmix UI is built on top of Vaadin, I would like to check:

  • Does this vulnerability affect Jmix applications?
  • If yes, which Jmix versions are impacted?
  • Are there recommended upgrade paths or patches to address this?

We are currently using Jmix 2.6.1, so it would be helpful to know if we need to update to a specific Vaadin / Jmix release.

Thanks in advance!

Best Regrad,
Chee Hao.

1 Like
#2

Hi,

Vaadin from 24.0.0 through 24.7.6 has vulnerability. Jmix 2.6.1 is based on Vaadin 24.7.3. I’ve created a GitHub issue to upgrade Vaadin dependencies: Update to the latest Vaadin 24.7.x · Issue #4695 · jmix-framework/jmix · GitHub.

Regards,
Gleb