Primary

Context

Form.io Path Handling Vulnerability Allowing Unauthorized Access to Protected API Endpoints

Vulnerability

Patched

A vulnerability in Form.io's path handling has been identified, allowing unauthorized access to protected API endpoints. This issue affects Form.io versions 3.5.6 and earlier, as well as versions 4.0.0-rc.1 through 4.4.2. The vulnerability arises because an attacker can send a crafted request path that bypasses authentication or authorization, potentially leading to unauthorized data disclosure from protected endpoints.

Impact

Exploitation of this vulnerability could result in unauthorized access to protected API data, allowing for unauthorized data retrieval from secured endpoints.

Remediation

Users are advised to upgrade to Form.io version 3.5.7 or 4.4.3. For Form.io Server users, versions 8.5.8 and 9.4.3 are recommended.

Added: Dec 11, 2025, 1:18 AM

Updated: Dec 11, 2025, 1:18 AM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

2.5

exploitability

8.2

remediation

7.7

relevance

1.4

threat

3.2

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

2.5

exploitability

8.2

remediation

7.7

relevance

1.4

threat

3.2

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Form.io Path Handling Vulnerability Allowing Unauthorized Access to Protected API Endpoints

Vulnerability

Impact

Remediation

Affected Products

Form.io

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating