Form.io can expose powerful API-based form workflows, including user-submitted data and custom logic execution. Hardening should focus on API authorization correctness, evaluator safety, and integration-secret control.
- Track Form.io advisories and patch immediately when security fixes are published.
- Upgrade beyond vulnerable versions for known path-handling issue (fixed in 3.5.7 and 4.4.3 for CVE-2025-67718/GHSA-m654-769v-qjv7).
- Validate route-based authorization behavior in staging after upgrades.
- Keep dependencies and container base images updated.
- Use Form.io protected evaluator for user-supplied JS customization flows.
- Restrict who can add custom logic/actions in production projects.
- Review and test server-side hooks before enabling for public forms.
- Disable unused action types that expose external integrations.
¶ 3) Harden API and data boundaries
- Enforce HTTPS for all API and form endpoints.
- Keep MongoDB/Redis/internal services private.
- Rotate JWT/API secrets and external connector credentials regularly.
- Encrypt backups containing submissions and PII.
- Form.io docs: https://help.form.io/
- Form.io protected evaluator docs: https://help.form.io/developers/form-development/form-evaluations/protected-evaluator
- Form.io source repository: https://github.com/formio/formio
- Form.io advisory (GHSA-m654-769v-qjv7): https://github.com/formio/formio/security/advisories/GHSA-m654-769v-qjv7
Any questions?
Feel free to contact us. Find all contact information on our contact page.