[Pkg-javascript-devel] Bug#1104246: Bug#1104246: node-formidable: CVE-2025-46653

[Yadd]

On 4/27/25 20:41, Salvatore Bonaccorso wrote:
> Source: node-formidable
> Version: 3.2.5+20221017git493ec88+~cs4.0.9-1
> Severity: important
> Tags: security upstream
> X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
> 
> Hi,
> 
> The following vulnerability was published for node-formidable.
> 
> CVE-2025-46653[0]:
> | Formidable (aka node-formidable) 2.1.0 through 3.x before 3.5.3
> | relies on hexoid to prevent guessing of filenames for untrusted
> | executable content; however, hexoid is documented as not
> | "cryptographically secure." (Also, there is a scenario in which only
> | the last two characters of a hexoid string need to be guessed, but
> | this is not often relevant.) NOTE: this does not imply that, in a
> | typical use case, attackers will be able to exploit any hexoid
> | behavior to upload and execute their own content.
> 
> Since the upstream fix is to switch from hexoid to cuid2, I guess the
> fix to backport this to older versions is too intrusive and we might
> ignore it. Please comment how you see the problem.
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2025-46653
>      https://www.cve.org/CVERecord?id=CVE-2025-46653
> 
> Please adjust the affected versions in the BTS as needed.
> 
> Regards,
> Salvatore
Hi,

The proposed fix uses two new dependencies, not yet available in Debian 
archive:

$ pkgjs-depends @paralleldrive/cuid2@^2.2.2
# @paralleldrive/cuid2@^2.2.2
# 1 missing npm module(s) 

MISSING:
@paralleldrive/cuid2@^2.2.2
  └── @noble/hashes (1.8.0)

I think it will be complicated to fix this before Debian 14 since freeze 
started for Debian 13