QwikSec

Security Database

CVE

CWE

Training

CVE-2025-67718

Published: Dec 11, 2025

Modified: Dec 11, 2025

PUBLISHED

Description

Form.io is a combined Form and API platform for Serverless applications. Versions 3.5.6 and below and 4.0.0-rc.1 through 4.4.2 contain a flaw in path handling which could allow an attacker to access protected API endpoints by sending a crafted request path. An unauthenticated or unauthorized request could retrieve data from endpoints that should be protected. This issue is fixed in versions 3.5.7 and 4.4.3.

Vendor	Product	Versions
formio	formio	affected `< 3.5.7` affected `>= 4.0.0-rc.1, < 4.4.3`

Weaknesses (CWE)

References

https://github.com/formio/formio/security/advisories/GHSA-m654-769v-qjv7

x_refsource_CONFIRM

https://github.com/formio/formio/commit/1836bdd9f55f5888ff397c257b2108c09d3de478

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.