Extended Maintenance Now Covers Vaadin 24 Minor Versions: Stability on Your Terms

For enterprise teams, the "latest and greatest" does not always mean to implement "right now." While we always encourage staying on the latest and greatest version of Vaadin, we recognize that in complex ecosystems, a minor version bump is rarely just a one-line change in a pom.xml.

Today, we are evolving our Extended Maintenance (EM) program to provide broader coverage. We are extending long-term support to individual minor versions of Vaadin 24. Whether you are on 24.1, 24.3, or 24.7, you can now secure your application for 15 years without the pressure of triggering an immediate security reassessment.

Why "Minor" Upgrades Aren't Always Small

Extended Maintenance used to cover only major versions (such as 24.0). However, as developers, we know that "minor" upgrades aren't always minor. Upgrading from Vaadin 24.2 to 24.4 requires more than just updating your pom.xml. 

• Compliance & Red Tape: In highly regulated industries (banking, healthcare), even a minor version bump triggers a mandatory, weeks-long QA and certification cycle that you simply don't have time for right now, hijacking your team’s attention from your core product roadmap
• Dependency Synchronization: You may be locked to a specific version of Spring Security, API, or component update that is compatible with your current Vaadin version. Upgrading Vaadin often means upgrading Spring Boot, which means you have to check each other's libraries in your stack.
• The Regression Risk: Sometimes a newer minor version fixes five things but breaks that one complex Grid renderer you spent weeks building.

What’s New: Granular Support for Every Minor Release

You no longer have to choose between a "risky" upgrade and an insecure application. You can now lock your application to a specific Vaadin 24 minor version and receive:

• Full Warranty Backports: Continuous access to the same prioritized bug fixes and stability improvements provided in the standard maintenance period, backported directly to your specific minor version.
• Critical CVE Patches: Immediate protection against high-impact security vulnerabilities to ensure you remain audit-ready.
• Reliable Hotfixes: Resolution of critical regressions that threaten production uptime, preventing costly operational distractions.
• Browser & Tech Stack Compatibility: Ensure your UI remains functional as browsers evolve without requiring a full-scale revalidation of your tech stack.
• Baseline Stability: Guaranteed support for your existing Java, Spring Boot, and Jakarta EE configurations, protecting you from unscheduled infrastructure shifts.

Note: Extended Maintenance focuses on security and stability. While it includes backports for essential fixes, for teams that want to leverage the latest features and functional enhancements, we recommend staying current with the most recent version of Vaadin.

Security in Action: Recent CVE Examples

Stability and security are not optional. We recently fixed two serious vulnerabilities. If you were stuck on an old minor version that didn't have the Extended Maintenance, you had to choose between remaining vulnerable and forcing a potentially breaking upgrade.

Recent high-severity vulnerabilities illustrate the risk:

• CVE-2025-15022 (XSS in Action Captions): Affected versions 24.0.0 through 24.8.13. Without support, staying on 24.7 left you exposed to Cross-Site Scripting through the Spreadsheet component.
• CVE-2025-9467 (File Upload Bypass): Affected 24.0.0 through 24.7.6. This puts applications using the Upload component's start listener at risk.

Both issues have been fixed in our Extended Maintenance (EM) releases. Previously, you had to upgrade to the latest version to fix an older minor version.
Now, with Extended Maintenance, you can apply these specific security patches directly to your current version (for example, 24.7). 

This lets you eliminate the threat without going through the lengthy and often painful upgrade process. Your team can avoid the manual work of untangling dependency conflicts or running extensive regression tests, all in the name of security.

Technical Roadmap & Support Duration

We are committing to the longest support lifecycle in the industry to ensure your application remains a secure, compliant, and high-value asset for your organization.

Understanding the Free vs. Extended Window

Vaadin 24 (the major version) remains under standard free maintenance until June 2026.

• If you are on the latest minor version (e.g., 24.9+): You are covered by free updates.
• If you are on an older minor version (24.0–24.8): These versions have moved out of the free support window. To continue receiving security patches, Extended Maintenance is required.

Extended Maintenance is included in the Enterprise Tier at no additional cost. If you are already an Enterprise customer, you can add Extended Maintenance for minor versions today at no extra cost.

For more details, check out vaadin.com/maintenance

Your Path Forward

We are rolling this out first for Vaadin 24 to support the thousands of teams currently building on this LTS (Long-Term Support) foundation. If you are on an older minor version, you have three options:

1. The Upgrade: Move to the latest Vaadin 24 release or Vaadin 25 (free, but requires regression testing).
2. The Safety Net: Activate Extended Maintenance via the Enterprise plan to secure your specific version.
3. The High-Risk: Remain on your current version without further updates (not recommended for production apps).

Want to see which Vaadin version you're currently using?? Check your pom.xml (or build.gradle) to see exactly where you stand:

<properties>
    <vaadin.version>24.7.0</vaadin.version>
</properties>

Contact us if you want to enable Extended Maintenance for your current version today.

Additional Resources

• Vaadin 24 Upgrade Guide
• Vaadin Security Advisories
• Vaadin Extended Maintenance
• CVE-2025-15022 Details
• CVE-2025-9467 Detail