CVE-2025-46653

NameCVE-2025-46653
DescriptionFormidable (aka node-formidable) 2.1.0 through 3.x before 3.5.3 relies on hexoid to prevent guessing of filenames for untrusted executable content; however, hexoid is documented as not "cryptographically secure." (Also, there is a scenario in which only the last two characters of a hexoid string need to be guessed, but this is not often relevant.) NOTE: this does not imply that, in a typical use case, attackers will be able to exploit any hexoid behavior to upload and execute their own content.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1104246

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-formidable (PTS)bullseye1.2.1+20200129git8231ea6-1vulnerable
bookworm, forky, sid, trixie3.2.5+20221017git493ec88+~cs4.0.9-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-formidablesource(unstable)4.0.4+~2.1.0-11104246

Notes

[trixie] - node-formidable <ignored> (Minor issue)
[bookworm] - node-formidable <ignored> (Minor issue)
[bullseye] - node-formidable <ignored> (Minor issue)
Fixed by: https://github.com/node-formidable/formidable/commit/022c2c5577dfe14d2947f10909d81b03b6070bf5 (v3.5.3)
Search for package or bug name: Reporting problems