Fix CVE-2025-15022

[glebfox]

https://vaadin.com/security/cve-2025-15022

NOTE: This vulnerability does not significantly affect CUBA, as the places where we use Vaadin's action.caption do not involve user input.

[glebfox]

Solution

com.vaadin.event.Action allows only simple text formatting: b, em, i, strong, u. All other HTML (tags and attributes) will be removed.

---

To get the fix asap, update the Vaadin version in the build.gradle file:

configure(webModule) {
    dependencies {
        compile('com.vaadin:vaadin-server:8.14.3-2-cuba') {
            exclude(group: 'com.vaadin', module: 'vaadin-sass-compiler')
        }
        compile('com.vaadin:vaadin-compatibility-server:8.14.3-2-cuba') {
            exclude(group: 'com.vaadin', module: 'vaadin-sass-compiler')
        }
        compile('com.vaadin:vaadin-push:8.14.3-2-cuba')

        themes('com.vaadin:vaadin-themes:8.14.3-2-cuba')

        ...
    }

    ...
}

If the WebToolkit module is present, also add the following:

configure(webToolkitModule) {
    dependencies {
        ...

        compile('com.vaadin:vaadin-client:8.14.3-2-cuba')
        compile('com.vaadin:vaadin-client-compiler:8.14.3-2-cuba')
        compile('com.vaadin:vaadin-compatibility-client:8.14.3-2-cuba')
    }

    ...
}

[glebfox]

For QA: you can play with the actions.closeAllTabs message key to add HTML tags.