All vulnerability reports

Denial of service in UIDL request handler in Vaadin 7 and 8

High (Base score 7.5) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H


Improper check for exceptional condition in a third party JSON handling library used in com.vaadin:vaadin-shared versions 7.4.0 through 7.7.8 (Vaadin 7.4.0 through 7.7.8), and 8.0.0 through 8.0.5 (Vaadin 8.0.0 through 8.0.5) allows attacker to perform denial of service (DoS) attack via crafted JSON payload.

See CWE-754: Improper Check for Unusual or Exceptional Conditions, CWE-400: Uncontrolled Resource Consumption


Improper check for exceptional condition was discovered in a third party JSON handling library integrated in Vaadin Framework 7 and used as a transitive dependency in Vaadin Framework 8. By crafting an invalid JSON payload, an attacker could cause the server-side decoding logic to exhaust the entire JVM heap. The vulnerability may impact service availability, but cannot not cause execution of untrusted code or disclosure of sensitive information.

Affected products and mitigation

Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:

Product version Mitigation
Vaadin 7.4.0 - 7.7.8 Upgrade to 7.7.9 or newer 7 version
Vaadin 8.0.0 - 8.0.5 Upgrade to 8.0.6 or newer 8 version


Maven coordinates Vulnerable version Fixed version
com.vaadin:vaadin-shared 7.4.0 - 7.7.8 ≥ 7.7.9
com.vaadin:vaadin-shared 8.0.0 - 8.0.5 ≥ 8.0.6



  • 2017-05-11: Initial vulnerability report published