Описание
Formio improperly authorized permission elevation through specially crafted request path
Security Advisory: Unauthorized permission elevation through specially crafted request path
Summary: A flaw in path handling could allow an attacker to access protected API endpoints by sending a crafted request path. This issue could result in unauthorized data disclosure under certain configurations.
Impact: In affected configurations, an unauthenticated or unauthorized request could retrieve data from endpoints that should be protected.
Affected versions: <= 3.5.6 <= 4.4.2
Fixed in: 3.5.7 4.4.3
Mitigation / Workarounds: Upgrade to 3.5.7 or later.
Disclosure timeline: Discovered 2025-05-22; fixed 2025-05-30; publicly disclosed 2025-12.
Пакеты
formio
< 3.5.7
3.5.7
formio
>= 4.0.0-rc.1, < 4.4.3
4.4.3
Связанные уязвимости
Form.io is a combined Form and API platform for Serverless applications. Versions 3.5.6 and below and 4.0.0-rc.1 through 4.4.2 contain a flaw in path handling which could allow an attacker to access protected API endpoints by sending a crafted request path. An unauthenticated or unauthorized request could retrieve data from endpoints that should be protected. This issue is fixed in versions 3.5.7 and 4.4.3.