CVE-2025-55797 is a security vulnerability identified in FormCms version 0.5.4, specifically within the API endpoint /api/schemas/history/[schemaId]. This endpoint exposes historical schema data without enforcing proper access control, allowing unauthenticated attackers to access sensitive historical schema information if they can provide or guess a valid schemaId. The vulnerability is classified under CWE-284 (Improper Access Control), indicating that the system fails to restrict access to resources appropriately. The CVSS v3.1 base score is 6.5, reflecting a medium severity level due to the vulnerability's network accessibility (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The impact primarily affects confidentiality (C:L), with no direct impact on integrity or availability. The scope remains unchanged (S:U), meaning the vulnerability affects resources within the same security scope. No patches or fixes are currently linked, and no known exploits have been reported in the wild. This vulnerability could allow attackers to gather historical schema data, potentially exposing sensitive or proprietary information about form structures and their evolution over time, which could aid in further attacks or data leakage.

For European organizations, the primary impact of this vulnerability lies in the unauthorized disclosure of historical schema data, which may contain sensitive design or configuration details of forms used in various business processes. This exposure could lead to information leakage, aiding attackers in crafting more targeted attacks or understanding internal workflows. Although the vulnerability does not directly compromise data integrity or availability, the confidentiality breach could have regulatory implications under GDPR if personal data or sensitive business information is indirectly exposed. Organizations relying on FormCms for critical form management, especially in sectors like finance, healthcare, or government, may face increased risk. The lack of authentication requirement and ease of exploitation increase the threat level, particularly for publicly accessible FormCms instances. However, the absence of known exploits in the wild suggests limited immediate risk but highlights the need for proactive mitigation.

To mitigate CVE-2025-55797, organizations should implement strict access control mechanisms on the /api/schemas/history/[schemaId] endpoint. This includes enforcing authentication and authorization checks to ensure only authorized users can access historical schema data. If possible, restrict access to this endpoint to internal networks or trusted IP ranges. Employ rate limiting and monitoring to detect and block suspicious access patterns that may indicate schemaId enumeration attempts. Review and sanitize schemaId generation to make guessing difficult, such as using non-sequential, cryptographically random identifiers. Regularly audit API endpoints for similar improper access control issues. Since no official patches are currently available, consider deploying web application firewalls (WAFs) with custom rules to block unauthorized access attempts. Additionally, ensure that logging and alerting are configured to capture any unauthorized access attempts for timely incident response.