CVE-2025-67718

Source
https://cve.org/CVERecord?id=CVE-2025-67718
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-67718.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-67718
Aliases
Published
2025-12-11T00:58:43.297Z
Modified
2026-07-15T01:49:01.968788733Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Formio improperly authorized permission elevation through specially crafted request path
Details

Form.io is a combined Form and API platform for Serverless applications. Versions 3.5.6 and below and 4.0.0-rc.1 through 4.4.2 contain a flaw in path handling which could allow an attacker to access protected API endpoints by sending a crafted request path. An unauthenticated or unauthorized request could retrieve data from endpoints that should be protected. This issue is fixed in versions 3.5.7 and 4.4.3.

Database specific
{
    "cwe_ids": [
        "CWE-178",
        "CWE-200"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/67xxx/CVE-2025-67718.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/formio/formio

Affected ranges

Type
GIT
Repo
https://github.com/formio/formio
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "4.0.0-rc.1"
        },
        {
            "fixed": "4.4.2"
        }
    ],
    "source": [
        "DESCRIPTION",
        "REFERENCES"
    ]
}

Affected versions

v4.*
v4.0.0
v4.0.0-rc.1
v4.0.0-rc.10
v4.0.0-rc.11
v4.0.0-rc.12
v4.0.0-rc.13
v4.0.0-rc.14
v4.0.0-rc.15
v4.0.0-rc.16
v4.0.0-rc.17
v4.0.0-rc.18
v4.0.0-rc.19
v4.0.0-rc.2
v4.0.0-rc.20
v4.0.0-rc.21
v4.0.0-rc.22
v4.0.0-rc.23
v4.0.0-rc.24
v4.0.0-rc.25
v4.0.0-rc.26
v4.0.0-rc.27
v4.0.0-rc.29
v4.0.0-rc.3
v4.0.0-rc.30
v4.0.0-rc.31
v4.0.0-rc.32
v4.0.0-rc.33
v4.0.0-rc.4
v4.0.0-rc.5
v4.0.0-rc.6
v4.0.0-rc.7
v4.0.0-rc.8
v4.0.0-rc.9
v4.1.0-rc.1
v4.1.0-rc.2
v4.1.0-rc.3
v4.1.0-rc.4
v4.2.0
v4.2.0-rc.1
v4.2.0-rc.2
v4.2.0-rc.3
v4.2.0-rc.4
v4.2.0-rc.5
v4.2.0-rc.6
v4.2.1-rc.1
v4.2.1-rc.3
v4.2.1-rc.4
v4.2.1-rc.5
v4.3.0
v4.3.0-rc.10
v4.3.0-rc.11
v4.3.0-rc.12
v4.3.0-rc.13
v4.3.0-rc.14
v4.3.0-rc.15
v4.3.0-rc.16
v4.3.0-rc.17
v4.3.0-rc.18
v4.3.0-rc.19
v4.3.0-rc.2
v4.3.0-rc.20
v4.3.0-rc.21
v4.3.0-rc.22
v4.3.0-rc.23
v4.3.0-rc.24
v4.3.0-rc.25
v4.3.0-rc.26
v4.3.0-rc.27
v4.3.0-rc.28
v4.3.0-rc.29
v4.3.0-rc.3
v4.3.0-rc.30
v4.3.0-rc.31
v4.3.0-rc.32
v4.3.0-rc.33
v4.3.0-rc.34
v4.3.0-rc.35
v4.3.0-rc.36
v4.3.0-rc.37
v4.3.0-rc.38
v4.3.0-rc.4
v4.3.0-rc.5
v4.3.0-rc.6
v4.3.0-rc.7
v4.3.0-rc.8
v4.3.0-rc.9
v4.4.0
v4.4.0-rc.1
v4.4.0-rc.12
v4.4.0-rc.13
v4.4.0-rc.14
v4.4.0-rc.15
v4.4.0-rc.16
v4.4.0-rc.17
v4.4.0-rc.18
v4.4.0-rc.19
v4.4.0-rc.2
v4.4.0-rc.20
v4.4.0-rc.21
v4.4.0-rc.22
v4.4.0-rc.23
v4.4.0-rc.24
v4.4.0-rc.25
v4.4.0-rc.26
v4.4.0-rc.27
v4.4.0-rc.28
v4.4.0-rc.29
v4.4.0-rc.3
v4.4.0-rc.30
v4.4.0-rc.31
v4.4.0-rc.32
v4.4.0-rc.33
v4.4.0-rc.34
v4.4.0-rc.35
v4.4.0-rc.36
v4.4.0-rc.37
v4.4.0-rc.38
v4.4.0-rc.4
v4.4.0-rc.5
v4.4.0-rc.6
v4.4.0-rc.7
v4.4.0-rc.8
v4.4.0-rc.9
v4.4.1-rc.1
v4.4.2
v4.4.2-rc.1
v4.4.2-rc.2
v4.4.2-rc.3
v4.4.2-rc.4
v4.4.2-rc.5
v4.4.2-rc.6
v4.4.2-rc.7

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-67718.json"