CVE-2021-31405
📋 TL;DR
This vulnerability allows attackers to cause denial of service (DoS) by submitting specially crafted email addresses that trigger inefficient regular expression processing in Vaadin's EmailField component. The unsafe regex validation leads to uncontrolled resource consumption (CPU/memory). Affected are applications using com.vaadin:vaadin-text-field-flow versions 2.0.4 through 2.3.2 (Vaadin 14.0.6-14.4.3) and 3.0.0 through 4.0.2 (Vaadin 15.0.0-17.0.10).
💻 Affected Systems
- Vaadin Flow Components
- Vaadin Platform
📦 What is this software?
Flow by Vaadin
Flow by Vaadin
Vaadin by Vaadin
Vaadin by Vaadin
⚠️ Risk & Real-World Impact
Worst Case
Complete application unavailability due to resource exhaustion, potentially affecting multiple users or services if the application crashes or becomes unresponsive.
Likely Case
Degraded performance or temporary unavailability for users accessing the vulnerable email input field, with potential cascading effects on dependent services.
If Mitigated
Minimal impact with proper input validation, rate limiting, and resource monitoring in place to detect and block malicious patterns.
🎯 Exploit Status
Exploitation requires submitting malicious email addresses to vulnerable endpoints. No authentication is needed if the email input field is publicly accessible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: com.vaadin:vaadin-text-field-flow version 2.4.0 (for Vaadin 14) and 5.0.0 (for Vaadin 15-17)
Vendor Advisory: https://vaadin.com/security/cve-2021-31405
Restart Required: Yes
Instructions:
1. Update com.vaadin:vaadin-text-field-flow dependency to version 2.4.0 or higher for Vaadin 14, or 5.0.0 or higher for Vaadin 15-17. 2. Update pom.xml or build.gradle with the new version. 3. Rebuild and redeploy the application. 4. Restart the application server.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to reject email addresses containing regex patterns that could cause excessive backtracking.
Implement custom validation logic before passing email input to Vaadin's EmailField component
Rate Limiting
allApply rate limiting to email submission endpoints to prevent mass exploitation attempts.
Configure rate limiting in web server (nginx/apache) or application framework
🧯 If You Can't Patch
- Implement WAF rules to block email patterns with excessive special characters or regex sequences
- Monitor server resource usage and set alerts for abnormal CPU/memory consumption patterns
🔍 How to Verify
Check if Vulnerable:
Check your project's dependency file (pom.xml or build.gradle) for com.vaadin:vaadin-text-field-flow version. If version is between 2.0.4-2.3.2 or 3.0.0-4.0.2, you are vulnerable.Check Version:
mvn dependency:tree | grep vaadin-text-field-flow (for Maven) or gradle dependencies | grep vaadin-text-field-flow (for Gradle)Verify Fix Applied:
After updating, verify the dependency version is 2.4.0+ for Vaadin 14 or 5.0.0+ for Vaadin 15-17. Test email submission with various inputs to ensure normal performance.📡 Detection & Monitoring
Log Indicators:
- Unusually long processing times for email validation requests
- High CPU usage spikes correlated with email submission endpoints
- Application errors or timeouts on email input handling
Network Indicators:
- Multiple rapid requests to email submission endpoints with unusual patterns
- Requests containing email addresses with complex regex-like patterns
SIEM Query:
source="application.log" AND ("EmailField" OR "email validation") AND (duration>5000 OR "timeout" OR "CPU spike")