Login Sign Up

CVE-2021-31410

8.6 HIGH

📋 TL;DR

This vulnerability in Vaadin Designer allows remote attackers to access project source files through specially crafted HTTP requests due to overly permissive frontend resource server configuration. It affects organizations using Vaadin Designer versions 4.3.0 through 4.6.3 for web application development.

💻 Affected Systems

Products:
  • Vaadin Designer
Versions: 4.3.0 through 4.6.3
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Vaadin Designer, not Vaadin Framework or other Vaadin products. Requires the frontend resource server to be running.

📦 What is this software?

Designer by Vaadin

View all CVEs affecting Designer →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal intellectual property, extract sensitive business logic, credentials, or API keys embedded in source code, potentially leading to further system compromise.

🟠

Likely Case

Source code theft exposing proprietary application logic, configuration files, and potentially embedded secrets that could facilitate additional attacks.

🟢

If Mitigated

Limited exposure with proper network segmentation and access controls preventing external attackers from reaching vulnerable instances.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires network access to the vulnerable Vaadin Designer instance and knowledge of HTTP request crafting.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.6.4

Vendor Advisory: https://vaadin.com/security/cve-2021-31410

Restart Required: Yes

Instructions:

1. Upgrade Vaadin Designer to version 4.6.4 or later. 2. Stop the current Vaadin Designer instance. 3. Install the updated version. 4. Restart Vaadin Designer.

🔧 Temporary Workarounds

Network Isolation

all

Restrict network access to Vaadin Designer instances to trusted development networks only.

Use firewall rules to block external access to Vaadin Designer ports (default 9998)

Access Control

all

Implement authentication or IP whitelisting for Vaadin Designer access.

Configure reverse proxy with authentication (e.g., nginx, Apache) in front of Vaadin Designer

🧯 If You Can't Patch

  • Isolate Vaadin Designer instances on internal development networks with no internet exposure.
  • Implement strict network access controls and monitor for unusual HTTP requests to Vaadin Designer endpoints.

🔍 How to Verify

Check if Vulnerable:

Check Vaadin Designer version via the application interface or configuration files. Versions 4.3.0-4.6.3 are vulnerable.

Check Version:

Check the Vaadin Designer application interface or configuration files for version information.

Verify Fix Applied:

Confirm version is 4.6.4 or later and test that source files cannot be accessed via HTTP requests to frontend resources.

📡 Detection & Monitoring

Log Indicators:

  • Unusual HTTP GET requests to Vaadin Designer frontend resource paths, especially attempts to access source files

Network Indicators:

  • HTTP traffic to Vaadin Designer ports (default 9998) from untrusted sources

SIEM Query:

source="vaadin-designer" AND (http_method="GET" AND uri CONTAINS "/frontend/")

📊 Metadata

CVE ID: CVE-2021-31410
CVSS v3 Score: 8.6 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CWE: CWE-402
Published: April 23, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-31410, you might also want to check these:

CVE-2025-0502 9.1

This vulnerability allows attackers to access private files and directories in CrafterCMS through im...

Same vulnerability type (CWE-402)
CVE-2021-31407 8.6

This vulnerability in Vaadin's OSGi integration allows attackers to access server-side application c...

Same vulnerability type (CWE-402)
CVE-2025-48383 8.2

Django-Select2 versions before 8.4.1 leak secret access tokens across requests in HeavySelect2Mixin ...

Same vulnerability type (CWE-402)