CVE-2025-67718

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-67718

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-67718.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-67718

Aliases

GHSA-m654-769v-qjv7

Published

2025-12-11T00:58:43.297Z

Modified

2025-12-11T19:50:08.934165Z

Severity

8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Formio improperly authorized permission elevation through specially crafted request path

Details

Form.io is a combined Form and API platform for Serverless applications. Versions 3.5.6 and below and 4.0.0-rc.1 through 4.4.2 contain a flaw in path handling which could allow an attacker to access protected API endpoints by sending a crafted request path. An unauthenticated or unauthorized request could retrieve data from endpoints that should be protected. This issue is fixed in versions 3.5.7 and 4.4.3.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-178",
        "CWE-200"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/67xxx/CVE-2025-67718.json"
}

References

Affected packages

Git / github.com/formio/formio

Affected ranges

Type

GIT

Repo

https://github.com/formio/formio

Events

Introduced

Fixed

59389ba15ee462060c6596bb68826992af8eb45e

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.5.7"
        }
    ]
}

Type

GIT

Repo

https://github.com/formio/formio

Events

Introduced

e16408ac22f759fce2eb95c4775e501af42c92de

Fixed

2a209735ad7f847a870c3091501ba641cb8b7d28

Database specific

{
    "versions": [
        {
            "introduced": "4.0.0-rc.1"
        },
        {
            "fixed": "4.4.3"
        }
    ]
}

Affected versions

1.*

1.0.0

1.1.0

1.16.1

1.22.17

2.*

2.0.0-beta.8

2.0.0-beta.9

2.0.0-rc.9

v1.*

v1.1.1

v1.1.10

v1.1.11

v1.1.12

v1.1.13

v1.1.14

v1.1.15

v1.1.2

v1.1.3

v1.1.4

v1.1.5

v1.1.6

v1.1.8

v1.1.9

v1.10.0

v1.10.1

v1.10.3

v1.11.0

v1.11.1

v1.11.2

v1.11.3

v1.11.4

v1.11.5

v1.11.6

v1.11.7

v1.12.0

v1.12.1

v1.12.2

v1.12.3

v1.12.4

v1.12.5

v1.13.0

v1.14.0

v1.14.1

v1.15.0

v1.15.1

v1.15.10

v1.15.11

v1.15.12

v1.15.13

v1.15.14

v1.15.15

v1.15.2

v1.15.3

v1.15.4

v1.15.5

v1.15.6

v1.15.7

v1.15.8

v1.15.9

v1.16.0

v1.16.1

v1.16.2

v1.16.3

v1.16.4

v1.16.5

v1.17.0

v1.17.1

v1.17.2

v1.17.3

v1.17.4

v1.17.5

v1.17.6

v1.18.0

v1.18.1

v1.18.10

v1.18.11

v1.18.12

v1.18.13

v1.18.14

v1.18.2

v1.18.3

v1.18.4

v1.18.5

v1.18.6

v1.18.7

v1.18.8

v1.18.9

v1.19.0

v1.19.1

v1.19.2

v1.19.3

v1.19.4

v1.19.5

v1.19.6

v1.19.7

v1.2.1

v1.2.2

v1.2.3

v1.20.0

v1.20.1

v1.20.2

v1.21.0

v1.22.0

v1.22.1

v1.22.10

v1.22.11

v1.22.12

v1.22.13

v1.22.14

v1.22.15

v1.22.16

v1.22.17

v1.22.18

v1.22.19

v1.22.2

v1.22.3

v1.22.5

v1.22.6

v1.22.7

v1.22.8

v1.22.9

v1.23.0

v1.23.1

v1.23.10

v1.23.11

v1.23.12

v1.23.2

v1.23.3

v1.23.4

v1.23.5

v1.23.6

v1.23.7

v1.23.8

v1.23.9

v1.24.0

v1.24.1

v1.24.2

v1.24.3

v1.24.4

v1.24.5

v1.24.6

v1.24.7

v1.25.0

v1.25.1

v1.25.10

v1.25.11

v1.25.12

v1.25.2

v1.25.3

v1.25.5

v1.25.6

v1.25.7

v1.25.8

v1.25.9

v1.26.0

v1.26.1

v1.26.2

v1.26.3

v1.26.4

v1.26.5

v1.26.6

v1.26.7

v1.26.8

v1.27.0

v1.27.1

v1.27.2

v1.27.3

v1.27.4

v1.27.5

v1.28.0

v1.29.0

v1.29.1

v1.29.2

v1.3.0

v1.3.1

v1.3.2

v1.3.3

v1.30.0

v1.30.1

v1.30.2

v1.31.0

v1.31.1

v1.31.2

v1.31.3

v1.31.4

v1.32.0

v1.33.0

v1.33.1

v1.33.2

v1.33.3

v1.33.4

v1.33.5

v1.33.6

v1.34.0

v1.34.1

v1.34.2

v1.34.3

v1.34.4

v1.34.5

v1.34.6

v1.35.0

v1.35.1

v1.35.2

v1.36.0

v1.36.1

v1.36.2

v1.37.0

v1.37.1

v1.37.2

v1.37.3

v1.37.4

v1.37.5

v1.37.6

v1.37.7

v1.38.0

v1.39.0

v1.39.1

v1.39.2

v1.4.0

v1.4.1

v1.40.0

v1.40.1

v1.40.2

v1.41.0

v1.41.1

v1.41.2

v1.41.3

v1.42.0

v1.42.1

v1.43.0

v1.43.1

v1.43.2

v1.44.0

v1.44.1

v1.44.2

v1.44.3

v1.44.4

v1.44.5

v1.44.6

v1.44.7

v1.45.0

v1.46.0

v1.47.0

v1.48.0

v1.48.1

v1.48.2

v1.49.0

v1.5.0

v1.5.1

v1.5.2

v1.50.0

v1.51.0

v1.52.0

v1.53.0

v1.54.0

v1.55.0

v1.56.0

v1.57.0

v1.58.0

v1.59.0

v1.6.0

v1.6.1

v1.6.2

v1.60.0

v1.60.1

v1.60.3

v1.60.4

v1.60.5

v1.60.6

v1.60.7

v1.60.8

v1.61.0

v1.62.0

v1.63.0

v1.63.1

v1.63.10

v1.63.11

v1.63.2

v1.63.3

v1.63.4

v1.63.5

v1.63.6

v1.63.7

v1.63.8

v1.63.9

v1.64.0

v1.65.0

v1.66.0

v1.67.0

v1.68.0

v1.7.0

v1.7.1

v1.7.10

v1.7.11

v1.7.12

v1.7.13

v1.7.15

v1.7.16

v1.7.17

v1.7.18

v1.7.19

v1.7.2

v1.7.3

v1.7.4

v1.7.5

v1.7.6

v1.7.7

v1.7.8

v1.7.9

v1.70.0

v1.71.0

v1.72.0

v1.73.0

v1.74.0

v1.75.0

v1.76.0

v1.78.0

v1.79.0

v1.8.0

v1.8.1

v1.8.10

v1.8.11

v1.8.12

v1.8.14

v1.8.17

v1.8.18

v1.8.19

v1.8.2

v1.8.20

v1.8.21

v1.8.22

v1.8.23

v1.8.24

v1.8.25

v1.8.26

v1.8.27

v1.8.3

v1.8.4

v1.8.5

v1.8.6

v1.8.7

v1.8.8

v1.8.9

v1.80.0

v1.81.0

v1.82.0

v1.83.0

v1.84.0

v1.85.0

v1.86.0

v1.87.0

v1.88.0

v1.89.0

v1.9.0

v1.9.1

v1.9.10

v1.9.11

v1.9.12

v1.9.13

v1.9.14

v1.9.15

v1.9.16

v1.9.2

v1.9.3

v1.9.4

v1.9.5

v1.9.6

v1.9.7

v1.9.8

v1.9.9

v1.90.0

v1.90.1

v1.90.2

v1.90.3

v1.90.4

v1.90.5

v1.90.6

v1.90.7

v2.*

v2.0.0

v2.0.0-beta.1

v2.0.0-beta.10

v2.0.0-beta.2

v2.0.0-beta.3

v2.0.0-beta.4

v2.0.0-beta.5

v2.0.0-beta.6

v2.0.0-beta.7

v2.0.0-beta.8

v2.0.0-rc.1

v2.0.0-rc.10

v2.0.0-rc.11

v2.0.0-rc.12

v2.0.0-rc.13

v2.0.0-rc.14

v2.0.0-rc.15

v2.0.0-rc.16

v2.0.0-rc.17

v2.0.0-rc.18

v2.0.0-rc.19

v2.0.0-rc.2

v2.0.0-rc.20

v2.0.0-rc.21

v2.0.0-rc.22

v2.0.0-rc.23

v2.0.0-rc.24

v2.0.0-rc.25

v2.0.0-rc.26

v2.0.0-rc.27

v2.0.0-rc.28

v2.0.0-rc.29

v2.0.0-rc.3

v2.0.0-rc.30

v2.0.0-rc.31

v2.0.0-rc.32

v2.0.0-rc.33

v2.0.0-rc.34

v2.0.0-rc.35

v2.0.0-rc.36

v2.0.0-rc.37

v2.0.0-rc.38

v2.0.0-rc.39

v2.0.0-rc.4

v2.0.0-rc.40

v2.0.0-rc.41

v2.0.0-rc.42

v2.0.0-rc.43

v2.0.0-rc.5

v2.0.0-rc.6

v2.0.0-rc.7

v2.0.0-rc.8

v2.0.0-rc.9

v2.0.1-rc.1

v2.0.1-rc.2

v2.1.0

v2.1.0-rc.1

v2.1.0-rc.10

v2.1.0-rc.11

v2.1.0-rc.12

v2.1.0-rc.13

v2.1.0-rc.14

v2.1.0-rc.15

v2.1.0-rc.16

v2.1.0-rc.17

v2.1.0-rc.18

v2.1.0-rc.2

v2.1.0-rc.3

v2.1.0-rc.4

v2.1.0-rc.5

v2.1.0-rc.6

v2.1.0-rc.7

v2.1.0-rc.8

v2.1.0-rc.9

v2.1.1

v2.1.1-rc.2

v2.2.0

v2.2.0-rc.1

v2.2.0-rc.2

v2.2.1

v2.2.1-rc.1

v2.2.1-rc.2

v2.2.2

v2.2.2-rc.1

v2.2.2-rc.2

v2.2.2-rc.3

v2.2.2-rc.4

v2.2.2-rc.5

v2.2.2-rc.6

v2.2.2-rc.7

v2.2.2-rc.8

v2.2.3

v2.2.3-rc.10

v2.2.3-rc.11

v2.2.3-rc.3

v2.2.3-rc.4

v2.2.3-rc.5

v2.2.3-rc.6

v2.2.3-rc.7

v2.2.3-rc.8

v2.2.3-rc.9

v2.2.4-rc.1

v2.21.4

v2.3.0

v2.3.0-rc.1

v2.3.0-rc.11

v2.3.0-rc.12

v2.3.0-rc.13

v2.3.0-rc.14

v2.3.0-rc.15

v2.3.0-rc.16

v2.3.0-rc.17

v2.3.0-rc.3

v2.3.0-rc.4

v2.3.0-rc.5

v2.3.0-rc.6

v2.3.0-rc.7

v2.3.0-rc.8

v2.3.0-rc.9

v2.3.1

v2.3.1-rc.1

v2.3.2

v2.3.2-rc.1

v2.3.2-rc.2

v2.3.2-rc.3

v2.3.3

v2.3.3-rc.1

v2.3.3-rc.2

v2.3.3-rc.3

v2.4.0-rc.1

v2.4.0-rc.2

v2.5.0-rc.1

v2.5.0-rc.2

v2.5.0-rc.3

v2.5.0-rc.4

v2.5.0-rc.5

v2.5.0-rc.6

v2.5.0-rc.7

v2.5.0-rc.8

v3.*

v3.0.0-rc.1

v3.0.0-rc.10

v3.0.0-rc.11

v3.0.0-rc.2

v3.0.0-rc.3

v3.0.0-rc.4

v3.0.0-rc.5

v3.0.0-rc.6

v3.0.0-rc.7

v3.0.0-rc.8

v3.0.0-rc.9

v3.1.0-rc.1

v3.1.0-rc.2

v3.1.0-rc.3

v3.1.0-rc.4

v3.1.0-rc.5

v3.4.0

v3.4.0-rc.1

v3.4.0-rc.10

v3.4.0-rc.11

v3.4.0-rc.12

v3.4.0-rc.13

v3.4.0-rc.14

v3.4.0-rc.15

v3.4.0-rc.16

v3.4.0-rc.17

v3.4.0-rc.18

v3.4.0-rc.19

v3.4.0-rc.2

v3.4.0-rc.3

v3.4.0-rc.4

v3.4.0-rc.5

v3.4.0-rc.6

v3.4.0-rc.7

v3.4.0-rc.8

v3.4.0-rc.9

v3.4.1-rc.1

v3.4.1-rc.2

v3.4.1-rc.3

v3.4.1-rc.4

v3.5.0

v3.5.0-rc.1

v3.5.0-rc.2

v3.5.0-rc.3

v3.5.0-rc.4

v3.5.0-rc.5

v3.5.0-rc.6

v3.5.1

v3.5.1-rc.1

v3.5.1-rc.2

v3.5.1-rc.3

v3.5.1-rc.4

v3.5.2

v3.5.2-rc.1

v3.5.2-rc.2

v3.5.2-rc.3

v3.5.2-rc.4

v3.5.3

v3.5.3-rc.1

v3.5.3-rc.2

v3.5.3-rc.3

v3.5.4

v3.5.4-rc.1

v3.5.4-rc.2

v3.5.4-rc.3

v3.5.5

v3.5.5-rc.1

v3.5.5-rc.2

v3.5.5-rc.3

v3.5.6

v3.5.6-rc.1

v3.5.6-rc.2

v3.5.7-rc.1

v4.*

v4.0.0

v4.0.0-rc.1

v4.0.0-rc.10

v4.0.0-rc.11

v4.0.0-rc.12

v4.0.0-rc.13

v4.0.0-rc.14

v4.0.0-rc.15

v4.0.0-rc.16

v4.0.0-rc.17

v4.0.0-rc.18

v4.0.0-rc.19

v4.0.0-rc.2

v4.0.0-rc.20

v4.0.0-rc.21

v4.0.0-rc.22

v4.0.0-rc.23

v4.0.0-rc.24

v4.0.0-rc.25

v4.0.0-rc.26

v4.0.0-rc.27

v4.0.0-rc.29

v4.0.0-rc.3

v4.0.0-rc.30

v4.0.0-rc.31

v4.0.0-rc.32

v4.0.0-rc.33

v4.0.0-rc.4

v4.0.0-rc.5

v4.0.0-rc.6

v4.0.0-rc.7

v4.0.0-rc.8

v4.0.0-rc.9

v4.1.0-rc.1

v4.1.0-rc.2

v4.1.0-rc.3

v4.1.0-rc.4

v4.2.0

v4.2.0-rc.1

v4.2.0-rc.2

v4.2.0-rc.3

v4.2.0-rc.4

v4.2.0-rc.5

v4.2.0-rc.6

v4.2.1-rc.1

v4.2.1-rc.3

v4.2.1-rc.4

v4.2.1-rc.5

v4.3.0

v4.3.0-rc.10

v4.3.0-rc.11

v4.3.0-rc.12

v4.3.0-rc.13

v4.3.0-rc.14

v4.3.0-rc.15

v4.3.0-rc.16

v4.3.0-rc.17

v4.3.0-rc.18

v4.3.0-rc.19

v4.3.0-rc.2

v4.3.0-rc.20

v4.3.0-rc.21

v4.3.0-rc.22

v4.3.0-rc.23

v4.3.0-rc.24

v4.3.0-rc.25

v4.3.0-rc.26

v4.3.0-rc.27

v4.3.0-rc.28

v4.3.0-rc.29

v4.3.0-rc.3

v4.3.0-rc.30

v4.3.0-rc.31

v4.3.0-rc.32

v4.3.0-rc.33

v4.3.0-rc.34

v4.3.0-rc.35

v4.3.0-rc.36

v4.3.0-rc.37

v4.3.0-rc.38

v4.3.0-rc.4

v4.3.0-rc.5

v4.3.0-rc.6

v4.3.0-rc.7

v4.3.0-rc.8

v4.3.0-rc.9

v4.4.0

v4.4.0-rc.1

v4.4.0-rc.12

v4.4.0-rc.13

v4.4.0-rc.14

v4.4.0-rc.15

v4.4.0-rc.16

v4.4.0-rc.17

v4.4.0-rc.18

v4.4.0-rc.19

v4.4.0-rc.2

v4.4.0-rc.20

v4.4.0-rc.21

v4.4.0-rc.22

v4.4.0-rc.23

v4.4.0-rc.24

v4.4.0-rc.25

v4.4.0-rc.26

v4.4.0-rc.27

v4.4.0-rc.28

v4.4.0-rc.29

v4.4.0-rc.3

v4.4.0-rc.30

v4.4.0-rc.31

v4.4.0-rc.32

v4.4.0-rc.33

v4.4.0-rc.34

v4.4.0-rc.35

v4.4.0-rc.36

v4.4.0-rc.37

v4.4.0-rc.38

v4.4.0-rc.4

v4.4.0-rc.5

v4.4.0-rc.6

v4.4.0-rc.7

v4.4.0-rc.8

v4.4.0-rc.9

v4.4.1-rc.1

v4.4.2

v4.4.2-rc.1

v4.4.2-rc.2

v4.4.2-rc.3

v4.4.2-rc.4

v4.4.2-rc.5

v4.4.2-rc.6

v4.4.2-rc.7

v4.4.3-rc.1