Published: June 2023 CVE Details
Severity: Medium (CVSS 5.3)
The world of Java web apps is never free from surprises, especially if you use frameworks like Vaadin. In 2022, a pretty concerning issue was found in the TreeGrid component of Vaadin. It's officially tracked as CVE-2022-29567 and, put simply, it could accidentally send sensitive data from your server to your users’ browsers. Let's break down what happened, how it works, and how you can secure your app.
What Is Vaadin and TreeGrid?
First, some context:
Vaadin is a popular Java framework for building modern web interfaces, and TreeGrid is a UI component ("tree-table") that's great for displaying hierarchical data – think directories, project tasks, etc.
What’s the Problem: Info Leak through Object::toString
When you configure a TreeGrid, the component must know how to refer to each row (node) uniquely – so it uses a key for every row. In the default setup (if you don’t tell it what key to use), TreeGrid falls back to using Java’s built-in Object::toString as a key, both on client and server.
Your server sends the string representation of *entire Java objects* to the client.
- If those objects expose sensitive details via their toString() (for example, personal names, employee IDs, or internal data), the client will see stuff you never meant to show.
This is a classic case of *information disclosure* – sometimes called a “leak”.
Say you have a custom node object in TreeGrid that looks like this
public class EmployeeNode {
private String name;
private String ssn; // Oops!
private List<EmployeeNode> underlings;
// toString auto-generated by your IDE or Lombok
}
Now, suppose toString() prints out all fields
@Override
public String toString() {
return "EmployeeNode{" +
"name='" + name + '\'' +
", ssn='" + ssn + '\'' + // THIS IS SENSITIVE!
'}';
}
Default TreeGrid setup (bad)
TreeGrid<EmployeeNode> grid = new TreeGrid<>();
grid.setItems(employeeRootNodes);
// No explicit setKey, so uses toString() as key!
grid.addColumn(EmployeeNode::getName).setHeader("Name");
What the Vulnerability Looks Like
When the browser asks the server for data (opening/closing tree nodes), the Vaadin backend sends “key” values to uniquely identify each node. Since toString() is used, these key values include the entire string with sensitive info.
The packet sent from server to client might include lines like
{
"key": "EmployeeNode{name='Jane', ssn='123-45-6789'}",
...
}
Anyone inspecting network traffic (or looking at the page’s internals) can see Social Security Numbers and names – yikes!
Teachable Example
If you add a browser extension (like Chrome Dev Tools) and expand the network tab, you will see this sensitive data coming down with the TreeGrid updates.
Why You Might Not Notice
- toString() often includes more information than you expect, especially with code generators or libraries like Lombok.
- Vaadin users might never realize the client is seeing these keys, since they’re for *internal use* in the grid – but network-savvy users or attackers can see everything in the browser.
How To Fix It
The safest fix is to always provide your own unique, safe, non-sensitive key for each node.
grid.setPrimaryKeyProvider(EmployeeNode::getName);
Or, better, use a generated or database-safe ID
grid.setPrimaryKeyProvider(EmployeeNode::getId);
23..9+ and later
Release notes:
- Vaadin Security Advisories
Real-World Impact
- Leaked personal records like names, social security numbers, internal project codes, or even passwords (if in toString).
- Intranet or enterprise apps are most at risk, where data model objects are complex and often include sensitive info.
References and Further Reading
- Official CVE-2022-29567
- Vaadin Security Advisory
- How Vaadin TreeGrid works internally
## TL;DR / Summary
- TreeGrid in Vaadin (versions 14.8.5–14.8.9, 22..6–22..14, 23...beta2–23..8, and specific 23.1 previews) leaks sensitive info by using Object::toString as a key.
Double-check what your objects’ toString methods expose!
Don’t take default settings for granted, especially with sensitive data.
Stay safe, and happy coding!
Timeline
Published on: 05/24/2022 15:15:00 UTC
Last modified on: 06/07/2022 16:59:00 UTC