| Name | CVE-2025-46653 |
| Description | Formidable (aka node-formidable) 2.1.0 through 3.x before 3.5.3 relies on hexoid to prevent guessing of filenames for untrusted executable content; however, hexoid is documented as not "cryptographically secure." (Also, there is a scenario in which only the last two characters of a hexoid string need to be guessed, but this is not often relevant.) NOTE: this does not imply that, in a typical use case, attackers will be able to exploit any hexoid behavior to upload and execute their own content. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 1104246 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| node-formidable (PTS) | bullseye | 1.2.1+20200129git8231ea6-1 | vulnerable |
| forky, sid, bookworm, trixie | 3.2.5+20221017git493ec88+~cs4.0.9-1 | vulnerable |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| node-formidable | source | (unstable) | (unfixed) | 1104246 |
[trixie] - node-formidable <ignored> (Minor issue)
[bookworm] - node-formidable <ignored> (Minor issue)
[bullseye] - node-formidable <ignored> (Minor issue)
Fixed by: https://github.com/node-formidable/formidable/commit/022c2c5577dfe14d2947f10909d81b03b6070bf5 (v3.5.3)