On 4/27/25 20:41, Salvatore Bonaccorso wrote:
Source: node-formidable
Version: 3.2.5+20221017git493ec88+~cs4.0.9-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for node-formidable.
CVE-2025-46653[0]:
| Formidable (aka node-formidable) 2.1.0 through 3.x before 3.5.3
| relies on hexoid to prevent guessing of filenames for untrusted
| executable content; however, hexoid is documented as not
| "cryptographically secure." (Also, there is a scenario in which only
| the last two characters of a hexoid string need to be guessed, but
| this is not often relevant.) NOTE: this does not imply that, in a
| typical use case, attackers will be able to exploit any hexoid
| behavior to upload and execute their own content.
Since the upstream fix is to switch from hexoid to cuid2, I guess the
fix to backport this to older versions is too intrusive and we might
ignore it. Please comment how you see the problem.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-46653
https://www.cve.org/CVERecord?id=CVE-2025-46653
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Hi,
The proposed fix uses two new dependencies, not yet available in Debian
archive:
$ pkgjs-depends @paralleldrive/cuid2@^2.2.2
# @paralleldrive/cuid2@^2.2.2
# 1 missing npm module(s)
MISSING:
@paralleldrive/cuid2@^2.2.2
└── @noble/hashes (1.8.0)
I think it will be complicated to fix this before Debian 14 since freeze
started for Debian 13
