CVE-2024-35191: verbb/formie Server-Side Template Injection for variable-enabled settings

May 20, 2024

Users with access to a form’s settings can include malicious Twig code into fields that support Twig. These might be the Submission Title or the Success Message. This code will then be executed upon creating a submission, or rendering the text.

This is listed as low-medium severity due to requiring control panel access to edit a form’s settings.

References

github.com/advisories/GHSA-v45m-hxqp-fwf5
github.com/verbb/formie
github.com/verbb/formie/commit/90296edf7e707f117e760aa57e70dbd43a854420
github.com/verbb/formie/security/advisories/GHSA-v45m-hxqp-fwf5
nvd.nist.gov/vuln/detail/CVE-2024-35191

Detect and mitigate CVE-2024-35191 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →