CVE-2025-67718
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-11

Last updated on: 2025-12-11

Assigner: GitHub, Inc.

Description
Form.io is a combined Form and API platform for Serverless applications. Versions 3.5.6 and below and 4.0.0-rc.1 through 4.4.2 contain a flaw in path handling which could allow an attacker to access protected API endpoints by sending a crafted request path. An unauthenticated or unauthorized request could retrieve data from endpoints that should be protected. This issue is fixed in versions 3.5.7 and 4.4.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-11
Last Modified
2025-12-11
Generated
2026-06-16
AI Q&A
2025-12-12
EPSS Evaluated
2026-06-15
NVD
CVE-2025-67718
EUVD
EUVD-2025-202594
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
form.io form_and_api_platform 4.4.2
form.io form_and_api_platform 4.0.0-rc.1
form.io form_and_api_platform 3.5.6
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-178 The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

To detect this vulnerability on your network or system, you can monitor for HTTP requests with crafted or unusual request paths targeting Form.io API endpoints, especially those that attempt to bypass authorization by manipulating URL parameter case. For example, you can use network traffic inspection tools like tcpdump or Wireshark to capture HTTP requests and grep or filter for suspicious paths. Additionally, you can use curl or similar tools to test your Form.io endpoints by sending requests with mixed-case URL parameters to see if unauthorized data is accessible. Example commands: 1) tcpdump -i any -A -s 0 'tcp port 80 or tcp port 443' | grep -i 'api' 2) curl -v 'http://your-formio-server/api/SomeEndpoint?Param=Value' 3) curl -v 'http://your-formio-server/api/SomeEndpoint?param=value' Comparing responses can help identify inconsistent case handling. Note that no specific detection commands are provided in the resources, so these are general suggestions based on the vulnerability nature. [1, 2]

Executive Summary

This vulnerability in Form.io affects versions 3.5.6 and below and 4.0.0-rc.1 through 4.4.2, where a flaw in path handling allows an attacker to send a specially crafted request path to access protected API endpoints. This means an unauthenticated or unauthorized user could retrieve data from endpoints that should be protected.

Impact Analysis

The vulnerability can lead to unauthorized data access, allowing attackers to retrieve sensitive information from protected API endpoints without authentication or authorization. This could result in data breaches and compromise the confidentiality of your data.

Mitigation Strategies

Upgrade Form.io to version 3.5.7 or later, or 4.4.3 or later, as these versions contain the fix for the vulnerability.

Compliance Impact

This vulnerability allows unauthorized access to protected API endpoints, potentially leading to unauthorized disclosure of sensitive data. Such data breaches can result in non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information. Therefore, if exploited, this vulnerability could compromise compliance with these standards by exposing protected data without proper authorization. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-67718. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart