VYPR
Get started
← All advisories
Critical severity9.8NVD Advisory· Published May 14, 2024· Updated Apr 15, 2026

CVE-2024-34706

CVE-2024-34706

Description

Valtimo is an open source business process and case management platform. When opening a form in Valtimo, the access token (JWT) of the user is exposed to api.form.io via the the x-jwt-token header. An attacker can retrieve personal information from this token, or use it to execute requests to the Valtimo REST API on behalf of the logged-in user. This issue is caused by a misconfiguration of the Form.io component.

The following conditions have to be met in order to perform this attack: An attacker needs to have access to the network traffic on the api.form.io domain; the content of the x-jwt-token header is logged or otherwise available to the attacker; an attacker needs to have network access to the Valtimo API; and an attacker needs to act within the time-to-live of the access token. The default TTL in Keycloak is 5 minutes.

Versions 10.8.4, 11.1.6 and 11.2.2 have been patched.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
@valtimo/componentsnpm
< 10.8.410.8.4
@valtimo/componentsnpm
>= 11.0.0, < 11.1.611.1.6
@valtimo/componentsnpm
>= 11.2.0, < 11.2.211.2.2

Patches

3
d65e05fd2784

Merge pull request #963 from valtimo-platform/fix/form-io-token-10-8-3-node16

https://github.com/valtimo-platform/valtimo-frontend-librariesThomasMinkeRitenseApr 26, 2024via ghsa
commit
1 file changed · +4 0
  • projects/valtimo/components/src/lib/components/form-io/form-io.component.ts+4 0 modified
    @@ -111,6 +111,9 @@ export class FormioComponent implements OnInit, OnChanges, OnDestroy {
   ) {}
 
   public ngOnInit() {
+    Formio.setProjectUrl(location.origin);
+    Formio.authUrl = location.origin;
+
     this.openRouteSubscription();
     this.errors$.next([]);
     this.setInitialToken();
@@ -190,6 +193,7 @@ export class FormioComponent implements OnInit, OnChanges, OnDestroy {
   }
 
   private setToken(token: string): void {
+    Formio.setUser(jwt_decode(token));
     Formio.setToken(token);
     localStorage.setItem('formioToken', token);
     this.setTimerForTokenRefresh(token);
8c2dbf2a4118

TP Story #110428 - [FE] Exposed JWT token to form.io (#955)

https://github.com/valtimo-platform/valtimo-frontend-librariesIvar KoremanApr 25, 2024via ghsa
commit
1 file changed · +4 0
  • projects/valtimo/components/src/lib/components/form-io/form-io.component.ts+4 0 modified
    @@ -125,6 +125,9 @@ export class FormioComponent implements OnInit, OnChanges, OnDestroy {
   ) {}
 
   public ngOnInit(): void {
+    Formio.setProjectUrl(location.origin);
+    Formio.authUrl = location.origin;
+
     this.openRouteSubscription();
     this.errors$.next([]);
     this.setInitialToken();
@@ -203,6 +206,7 @@ export class FormioComponent implements OnInit, OnChanges, OnDestroy {
   }
 
   private setToken(token: string): void {
+    Formio.setUser(jwtDecode(token));
     Formio.setToken(token);
     localStorage.setItem(this._FORMIO_TOKEN_LOCAL_STORAGE_KEY, token);
     this.setTimerForTokenRefresh(token);
1aaba5ef5750

TP Story #110428 - [FE] Exposed JWT token to form.io (#955)

https://github.com/valtimo-platform/valtimo-frontend-librariesIvar KoremanApr 25, 2024via ghsa
commit
1 file changed · +4 0
  • projects/valtimo/components/src/lib/components/form-io/form-io.component.ts+4 0 modified
    @@ -125,6 +125,9 @@ export class FormioComponent implements OnInit, OnChanges, OnDestroy {
   ) {}
 
   public ngOnInit(): void {
+    Formio.setProjectUrl(location.origin);
+    Formio.authUrl = location.origin;
+
     this.openRouteSubscription();
     this.errors$.next([]);
     this.setInitialToken();
@@ -203,6 +206,7 @@ export class FormioComponent implements OnInit, OnChanges, OnDestroy {
   }
 
   private setToken(token: string): void {
+    Formio.setUser(jwtDecode(token));
     Formio.setToken(token);
     localStorage.setItem(this._FORMIO_TOKEN_LOCAL_STORAGE_KEY, token);
     this.setTimerForTokenRefresh(token);

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.