CVE-2025-67718
📋 TL;DR
CVE-2025-67718 is a path handling vulnerability in Form.io that allows attackers to bypass authentication and access protected API endpoints. Unauthenticated or unauthorized users can retrieve sensitive data from endpoints that should be restricted. This affects Form.io versions 3.5.6 and below, and 4.0.0-rc.1 through 4.4.2.
💻 Affected Systems
- Form.io
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete exposure of all protected API data including sensitive user information, form submissions, and application data to unauthenticated attackers.
Likely Case
Unauthorized access to some protected endpoints leading to data leakage of form submissions and user information.
If Mitigated
Limited data exposure if additional network controls and API gateway protections are in place.
🎯 Exploit Status
The advisory suggests exploitation is straightforward via crafted request paths. No public exploit code is available yet.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.5.7 and 4.4.3
Vendor Advisory: https://github.com/formio/formio/security/advisories/GHSA-m654-769v-qjv7
Restart Required: Yes
Instructions:
1. Identify your Form.io version. 2. Upgrade to 3.5.7 if using 3.x series. 3. Upgrade to 4.4.3 if using 4.x series. 4. Restart the Form.io service. 5. Verify the fix by testing protected endpoints.
🔧 Temporary Workarounds
API Gateway Path Validation
allImplement path validation at API gateway level to reject malformed paths before they reach Form.io
Network Segmentation
allRestrict access to Form.io endpoints to only trusted networks and applications
🧯 If You Can't Patch
- Implement strict API gateway rules to validate and sanitize all incoming request paths
- Deploy Web Application Firewall (WAF) with path traversal and authentication bypass rules
🔍 How to Verify
Check if Vulnerable:
Check package.json for Form.io version. If version is ≤3.5.6 or between 4.0.0-rc.1 and 4.4.2, you are vulnerable.Check Version:
npm list formio or check package.json for 'formio' versionVerify Fix Applied:
After patching, attempt to access protected API endpoints with crafted paths. Access should be denied.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to protected endpoints
- Requests with malformed or crafted paths
- Unauthorized access attempts returning 200 OK
Network Indicators:
- Unusual traffic to API endpoints from unauthenticated sources
- Patterns of path manipulation in HTTP requests
SIEM Query:
source='formio' AND (status=200 AND (path CONTAINS '../' OR path CONTAINS '..\' OR path CONTAINS '//'))