High severityNVD Advisory· Published Dec 11, 2025· Updated Apr 15, 2026
CVE-2025-67718
CVE-2025-67718
Description
Form.io is a combined Form and API platform for Serverless applications. Versions 3.5.6 and below and 4.0.0-rc.1 through 4.4.2 contain a flaw in path handling which could allow an attacker to access protected API endpoints by sending a crafted request path. An unauthenticated or unauthorized request could retrieve data from endpoints that should be protected. This issue is fixed in versions 3.5.7 and 4.4.3.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
formionpm | < 3.5.7 | 3.5.7 |
formionpm | >= 4.0.0-rc.1, < 4.4.3 | 4.4.3 |
Affected products
1Patches
21836bdd9f55fEnsure the case is consistent for the url parameters.
1 file changed · +1 −1
src/util/util.js+1 −1 modified@@ -414,7 +414,7 @@ const Utils = { // Build key/value list. for (let a = 0; a < parts.length; a += 2) { - urlParams[parts[a]] = parts[a + 1]; + urlParams[parts[a].toLowerCase()] = parts[a + 1]; } debug.getUrlParams(urlParams);
1665b7c99e3cEnsure the case is consistent for the url parameters.
1 file changed · +1 −1
src/util/util.js+1 −1 modified@@ -411,7 +411,7 @@ const Utils = { // Build key/value list. for (let a = 0; a < parts.length; a += 2) { - urlParams[parts[a]] = parts[a + 1]; + urlParams[parts[a].toLowerCase()] = parts[a + 1]; } debug.getUrlParams(urlParams);
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-m654-769v-qjv7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-67718ghsaADVISORY
- github.com/formio/formio/commit/1665b7c99e3cf3246db7ff0b4ff732231dc6903bghsaWEB
- github.com/formio/formio/commit/1836bdd9f55f5888ff397c257b2108c09d3de478nvdWEB
- github.com/formio/formio/security/advisories/GHSA-m654-769v-qjv7nvdWEB
News mentions
0No linked articles in our index yet.