Headline
GHSA-m654-769v-qjv7: Formio improperly authorized permission elevation through specially crafted request path
Security Advisory: Unauthorized permission elevation through specially crafted request path
Summary: A flaw in path handling could allow an attacker to access protected API endpoints by sending a crafted request path. This issue could result in unauthorized data disclosure under certain configurations.
Impact: In affected configurations, an unauthenticated or unauthorized request could retrieve data from endpoints that should be protected.
Affected versions: <= 3.5.6 <= 4.4.2
Fixed in: 3.5.7 4.4.3
Mitigation / Workarounds: Upgrade to 3.5.7 or later.
Disclosure timeline: Discovered 2025-05-22; fixed 2025-05-30; publicly disclosed 2025-12.
Security Advisory: Unauthorized permission elevation through specially crafted request path
Summary: A flaw in path handling could allow an attacker to access protected API endpoints by sending a crafted request path. This issue could result in unauthorized data disclosure under certain configurations.
Impact: In affected configurations, an unauthenticated or unauthorized request could retrieve data from endpoints that should be protected.
Affected versions:
<= 3.5.6
<= 4.4.2
Fixed in:
3.5.7
4.4.3
Mitigation / Workarounds:
Upgrade to 3.5.7 or later.
Disclosure timeline:
Discovered 2025-05-22; fixed 2025-05-30; publicly disclosed 2025-12.
References
- GHSA-m654-769v-qjv7
- formio/formio@1665b7c