[Pkg-javascript-devel] Bug#1104246: node-formidable: CVE-2025-46653
Salvatore Bonaccorso
carnil at debian.org
Sun Apr 27 19:41:08 BST 2025
Source: node-formidable
Version: 3.2.5+20221017git493ec88+~cs4.0.9-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for node-formidable.
CVE-2025-46653[0]:
| Formidable (aka node-formidable) 2.1.0 through 3.x before 3.5.3
| relies on hexoid to prevent guessing of filenames for untrusted
| executable content; however, hexoid is documented as not
| "cryptographically secure." (Also, there is a scenario in which only
| the last two characters of a hexoid string need to be guessed, but
| this is not often relevant.) NOTE: this does not imply that, in a
| typical use case, attackers will be able to exploit any hexoid
| behavior to upload and execute their own content.
Since the upstream fix is to switch from hexoid to cuid2, I guess the
fix to backport this to older versions is too intrusive and we might
ignore it. Please comment how you see the problem.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-46653
https://www.cve.org/CVERecord?id=CVE-2025-46653
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-javascript-devel
mailing list