Formio improperly authorized permission elevation through specially crafted request path
- Severity:
- High
Description
Summary: A flaw in path handling could allow an attacker to access protected API endpoints by sending a crafted request path. This issue could result in unauthorized data disclosure under certain configurations.
Recommendation
Update the formio package to the latest compatible version. Followings are version details:
Affected version(s): **>= 4.0.0-rc.1, < 4.4.3 < 3.5.7** Patched version(s): **4.4.3 3.5.7**
References
Related Issues
- AWS SDK for JavaScript v3 adopted defense in depth enhancement for region parameter value - Vulnerability
- vue-i18n's escapeParameterHtml does not prevent DOM-based XSS through its tag attributes - CVE-2025-53892
- Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string) - Vulnerability
- Server-Side Template Injection in formio - CVE-2020-28246
- Tags:
- npm
- formio
Anything's wrong? Let us know Last updated on December 11, 2025