Summary: A flaw in path handling could allow an attacker to access protected API endpoints by sending a crafted request path. This issue could result in unauthorized data disclosure under certain configurations.
Impact: In affected configurations, an unauthenticated or unauthorized request could retrieve data from endpoints that should be protected.
Affected versions:
<= 3.5.6
<= 4.4.2
Fixed in:
3.5.7
4.4.3
Mitigation / Workarounds:
Upgrade to 3.5.7 or later.
Disclosure timeline:
Discovered 2025-05-22; fixed 2025-05-30; publicly disclosed 2025-12.
| Score | Percentile |
|---|---|
| 0.08% | 22.98% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 8.7 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-m654-769v-qjv7 ↗ |
| CVE | CVE-2025-67718 ↗ |
| CWE id | Name |
|---|---|
| CWE-178 | Improper Handling of Case Sensitivity |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| npm | formio | < 3.5.7 | 3.5.7 | — |
| npm | formio | >= 4.0.0-rc.1, < 4.4.3 | 4.4.3 | — |