CVE-2025-67718
BaseFortify
Publication date: 2025-12-11
Last updated on: 2025-12-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| form.io | form_and_api_platform | 4.4.2 |
| form.io | form_and_api_platform | 4.0.0-rc.1 |
| form.io | form_and_api_platform | 3.5.6 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
| CWE-178 | The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Form.io affects versions 3.5.6 and below and 4.0.0-rc.1 through 4.4.2, where a flaw in path handling allows an attacker to send a specially crafted request path to access protected API endpoints. This means an unauthenticated or unauthorized user could retrieve data from endpoints that should be protected.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthorized access to protected API endpoints, potentially leading to unauthorized disclosure of sensitive data. Such data breaches can result in non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information. Therefore, if exploited, this vulnerability could compromise compliance with these standards by exposing protected data without proper authorization. [2]
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized data access, allowing attackers to retrieve sensitive information from protected API endpoints without authentication or authorization. This could result in data breaches and compromise the confidentiality of your data.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Form.io to version 3.5.7 or later, or 4.4.3 or later, as these versions contain the fix for the vulnerability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect this vulnerability on your network or system, you can monitor for HTTP requests with crafted or unusual request paths targeting Form.io API endpoints, especially those that attempt to bypass authorization by manipulating URL parameter case. For example, you can use network traffic inspection tools like tcpdump or Wireshark to capture HTTP requests and grep or filter for suspicious paths. Additionally, you can use curl or similar tools to test your Form.io endpoints by sending requests with mixed-case URL parameters to see if unauthorized data is accessible. Example commands: 1) tcpdump -i any -A -s 0 'tcp port 80 or tcp port 443' | grep -i 'api' 2) curl -v 'http://your-formio-server/api/SomeEndpoint?Param=Value' 3) curl -v 'http://your-formio-server/api/SomeEndpoint?param=value' Comparing responses can help identify inconsistent case handling. Note that no specific detection commands are provided in the resources, so these are general suggestions based on the vulnerability nature. [1, 2]