CVE-2021-31406

LOW
Published Apr 23, 20215y ago · Modified Jun 17, 20262w ago
2.5 CVSS 3.1
Low
Find Similar
Published Apr 23, 2021 5y ago
Last Modified Jun 17, 2026 2w ago

Description

Non-constant-time comparison of CSRF tokens in endpoint request handler in com.vaadin:flow-server versions 3.0.0 through 5.0.3 (Vaadin 15.0.0 through 18.0.6), and com.vaadin:fusion-endpoint version 6.0.0 (Vaadin 19.0.0) allows attacker to guess a security token for Fusion endpoints via timing attack.

CVSS Details

Base Score
2.5
Exploitability
1.0
Impact
1.4
Vector string
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector Local
Attack Complexity High
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity None
Availability None

Threat Intelligence

No active exploitation signals — not in CISA KEV and no EPSS score yet.

Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 2

CWE-203
CWE-208

Affected Products 4

VendorProductVersionRange
vaadinflow*≥3.0.0  –  <5.0.4
vaadinflow6.0.0any
vaadinvaadin*≥15.0.0  –  <18.0.7
vaadinvaadin19.0.0any

References 2

  • github.com https://github.com/vaadin/flow/pull/10157
    PatchThird Party Advisory
  • vaadin.com https://vaadin.com/security/cve-2021-31406
    Vendor Advisory

Remediation

  • github.com https://github.com/vaadin/flow/pull/10157
    PatchThird Party Advisory