Non-constant-time comparison of CSRF tokens in endpoint request handler in `com.vaadin:flow-server` versions 3.0.0 through 5.0.3 (Vaadin 15.0.0 through 18.0.6), and com.vaadin:fusion-endpoint version 6.0.0 (Vaadin 19.0.0) allows attacker to guess a security token for Fusion endpoints via timing attack.

- https://vaadin.com/security/cve-2021-31406

Affected Packages

Maven com.vaadin:flow-server

Affected versions: 3.0.0 (fixed in 5.0.4)

Maven com.vaadin:flow-server

Affected versions: 6.0.0 (fixed in 6.0.1)

Related CVEs

CVE-2021-31406

Key Information

GHSA ID

GHSA-p7jq-v8jp-j424

Published

April 19, 2021 2:50 PM

Last Modified

April 16, 2021 11:15 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

com.vaadin:flow-server

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 6, 2025 6:30 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.