Description
Form.io is a combined Form and API platform for Serverless applications. Versions 3.5.6 and below and 4.0.0-rc.1 through 4.4.2 contain a flaw in path handling which could allow an attacker to access protected API endpoints by sending a crafted request path. An unauthenticated or unauthorized request could retrieve data from endpoints that should be protected. This issue is fixed in versions 3.5.7 and 4.4.3.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/formio/formio/security/advisories/GHSA-m654-769v-qjv7
Patch x_refsource_misc
https://github.com/formio/formio/commit/1836bdd9f55f5888ff397c257b2108c09d3de478
Scores
CVSS v4
8.7
EPSS
0.0029
EPSS Percentile
20.2%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-178
CWE-200
Status
published
Products (3)
formio/formio
< 3.5.7
formio/formio
>= 4.0.0-rc.1, < 4.4.3
npm/formio
0 - 3.5.7npm
Published
Dec 11, 2025
Tracked Since
Feb 18, 2026