Formio improperly authorized permission elevation through specially crafted request path
- Severity:
- High
Description
Summary: A flaw in path handling could allow an attacker to access protected API endpoints by sending a crafted request path. This issue could result in unauthorized data disclosure under certain configurations.
Recommendation
Update the formio package to the latest compatible version. Followings are version details:
Affected version(s): **>= 4.0.0-rc.1, < 4.4.3 < 3.5.7** Patched version(s): **4.4.3 3.5.7**
References
Related Issues
- TypeORM vulnerable to SQL injection via crafted request to repository.save or repository.update - CVE-2025-60542
- Cube Core is vulnerable to privilege escalation via a specially crafted request - CVE-2026-25958
- @mozilla/readability Denial of Service through Regex - CVE-2025-2792
- Vite has an `server.fs.deny` bypass with an invalid `request-target` - CVE-2025-32395
- Tags:
- npm
- formio
Anything's wrong? Let us know Last updated on December 11, 2025