CVE-2026-2741 is a path traversal vulnerability classified under CWE-22 affecting the Vaadin Flow framework's build process. Vaadin Flow versions 14.2.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.8, and 25.0.0 through 25.0.2 automatically download and extract Node.js if it is not locally installed. The vulnerability occurs because the ZIP archive extraction process does not properly sanitize or restrict the extraction paths, allowing specially crafted ZIP archives to include path traversal sequences (e.g., '../') that enable files to be written outside the intended extraction directory. This flaw can be exploited if an attacker can intercept or manipulate the Node.js download process, which might happen through DNS hijacking, man-in-the-middle (MITM) attacks, compromised mirrors, or supply chain attacks. Exploiting this vulnerability could allow an attacker to place arbitrary files on the victim system, potentially leading to code execution or system compromise depending on what files are overwritten or created. However, exploitation requires the attacker to control the download source or network path, and no user interaction is needed once the build process initiates. The vulnerability has a CVSS 4.0 base score of 2.3, reflecting low severity due to the high attack complexity and limited impact scope. Vaadin has released patched versions (14.14.1, 23.6.7, 24.9.9, 25.0.3) that fix this issue by properly restricting extraction paths. Users of unsupported versions (10-13, 15-22) are advised to upgrade to supported versions. No known exploits have been reported in the wild to date.

The primary impact of CVE-2026-2741 is the potential for an attacker to write arbitrary files outside the intended extraction directory during Vaadin's Node.js download and extraction process. This can lead to unauthorized modification or creation of files on the host system, which may result in code execution, privilege escalation, or system compromise if critical files are overwritten or malicious scripts are planted. However, the exploitation requires the attacker to control or intercept the Node.js download, which limits the attack surface to environments where network security is weak or supply chain integrity is compromised. The vulnerability affects development and build environments using the affected Vaadin versions, potentially impacting continuous integration pipelines or developer machines. Organizations relying on automated builds without a preinstalled Node.js are at higher risk. Although the CVSS score is low, the impact can be significant in targeted attacks, especially in environments with lax network security or where build servers have elevated privileges. The lack of known exploits in the wild suggests limited active exploitation but does not eliminate future risk. Overall, the threat is moderate for organizations using affected Vaadin versions in environments exposed to network interception or supply chain attacks.

1. Upgrade Vaadin Flow to the patched versions: 14.14.1, 23.6.7, 24.9.9, or 25.0.3 or newer, as applicable. 2. Use a globally preinstalled Node.js version compatible with the Vaadin version instead of relying on automatic download and extraction during the build process. 3. Secure the network environment to prevent DNS hijacking and man-in-the-middle attacks, including enforcing DNSSEC, using HTTPS with certificate validation, and employing network segmentation. 4. Validate and monitor the integrity of third-party mirrors or repositories used for Node.js downloads to prevent supply chain compromise. 5. Implement strict file system permissions on build servers to limit the impact of arbitrary file writes. 6. Employ build environment isolation techniques such as containerization or sandboxing to contain potential exploitation. 7. Regularly audit build logs and extracted files for unexpected changes or suspicious activity. 8. For unsupported Vaadin versions (10-13, 15-22), upgrade to supported versions to receive security updates. These steps collectively reduce the risk of exploitation by addressing both the vulnerability and the attack vectors enabling it.