-{"actions":[],"advisories":{"1104069":{"findings":[{"version":"2.1.2","paths":["@hmcts/nodejs-healthcheck>superagent>formidable"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2025-46653\n- https://github.com/node-formidable/formidable/commit/022c2c5577dfe14d2947f10909d81b03b6070bf5\n- https://github.com/node-formidable/formidable/blob/d0fbec13edc8add54a1afb9ce1a8d3db803f8d47/CHANGELOG.md?plain=1#L10\n- https://github.com/zast-ai/vulnerability-reports/blob/main/formidable/file_upload/report.md\n- https://github.com/advisories/GHSA-75v8-2h7p-7m2m","created":"2025-04-26T21:31:26.000Z","id":1104069,"npm_advisory_id":null,"overview":"Formidable (aka node-formidable) 2.1.0 through 3.x before 3.5.3 relies on hexoid to prevent guessing of filenames for untrusted executable content; however, hexoid is documented as not \"cryptographically secure.\" (Also, there is a scenario in which only the last two characters of a hexoid string need to be guessed, but this is not often relevant.) NOTE: this does not imply that, in a typical use case, attackers will be able to exploit any hexoid behavior to upload and execute their own content.","reported_by":null,"title":"Formidable relies on hexoid to prevent guessing of filenames for untrusted executable content","metadata":null,"cves":["CVE-2025-46653"],"access":"public","severity":"low","module_name":"formidable","vulnerable_versions":">=2.1.0 <3.5.3","github_advisory_id":"GHSA-75v8-2h7p-7m2m","recommendation":"Upgrade to version 3.5.3 or later","patched_versions":">=3.5.3","updated":"2025-04-29T14:07:18.000Z","cvss":{"score":3.1,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N"},"cwe":["CWE-338"],"url":"https://github.com/advisories/GHSA-75v8-2h7p-7m2m"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":1,"moderate":0,"high":0,"critical":0},"dependencies":412,"devDependencies":129,"optionalDependencies":0,"totalDependencies":541}}
0 commit comments