[From nobody Sat Apr 11 22:51:08 2026 Received: (at submit) by bugs.debian.org; 27 Apr 2025 18:41:11 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.6-bugs.debian.org_2005_01_02 (2021-04-09) on buxtehude.debian.org X-Spam-Level: X-Spam-Status: No, score=-8.5 required=4.0 tests=BAYES_00, FOURLA, FROMDEVELOPER, KHOP_HELO_FCRDNS,RDNS_DYNAMIC,SPF_HELO_NONE,SPF_NONE,XMAILER_REPORTBUG autolearn=ham autolearn_force=no version=3.4.6-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 20; hammy, 149; neutral, 56; spammy, 1. spammytokens:0.944-+--H*r:bugs.debian.org hammytokens:0.000-+--H*F:U*carnil, 0.000-+--XDebbugsCc, 0.000-+--X-Debbugs-Cc, 0.000-+--H*r:eldamar.lan, 0.000-+--H*M:reportbug Return-path: <carnil@debian.org> Received: from c-82-192-244-13.customer.ggaweb.ch ([82.192.244.13]:51434 helo=eldamar.lan) by buxtehude.debian.org with esmtp (Exim 4.94.2) (envelope-from <carnil@debian.org>) id 1u96wA-009emQ-43 for submit@bugs.debian.org; Sun, 27 Apr 2025 18:41:11 +0000 Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Salvatore Bonaccorso <carnil@debian.org> To: Debian Bug Tracking System <submit@bugs.debian.org> Subject: node-formidable: CVE-2025-46653 Message-ID: <174577926801.3776235.15199937519597762400.reportbug@eldamar.lan> X-Mailer: reportbug 13.1.0 Date: Sun, 27 Apr 2025 20:41:08 +0200 Delivered-To: submit@bugs.debian.org Source: node-formidable Version: 3.2.5+20221017git493ec88+~cs4.0.9-1 Severity: important Tags: security upstream X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org> Hi, The following vulnerability was published for node-formidable. CVE-2025-46653[0]: | Formidable (aka node-formidable) 2.1.0 through 3.x before 3.5.3 | relies on hexoid to prevent guessing of filenames for untrusted | executable content; however, hexoid is documented as not | "cryptographically secure." (Also, there is a scenario in which only | the last two characters of a hexoid string need to be guessed, but | this is not often relevant.) NOTE: this does not imply that, in a | typical use case, attackers will be able to exploit any hexoid | behavior to upload and execute their own content. Since the upstream fix is to switch from hexoid to cuid2, I guess the fix to backport this to older versions is too intrusive and we might ignore it. Please comment how you see the problem. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-46653 https://www.cve.org/CVERecord?id=CVE-2025-46653 Please adjust the affected versions in the BTS as needed. Regards, Salvatore ]