Hi,upstream chose to add a new dependency to fix CVE-2025-46653. However I think using "crypto" module is enough to fix this potential lack of randomness. Since Trixie has been frozen, I propose this little patch to fix the issue without changing source (adding a component).
The proposed patch: - replaces hexoid (which uses Math.random) by built-in module "crypto" - increase id length from 25 characters to 40 If you think it's OK to fix the issue, I'll upload and put a unblock BTS. Best regards, Xavier
diff --git a/debian/changelog b/debian/changelog index 48bd4c9..8d6ae4b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +node-formidable (3.2.5+20221017git493ec88+~cs4.0.9-2) unstable; urgency=medium + + * Team upload + * Use "crypto" to have a better randomness + (Closes: #1104246, CVE-2025-46653) + + -- Yadd <y...@debian.org> Mon, 21 Jul 2025 15:22:39 +0200 + node-formidable (3.2.5+20221017git493ec88+~cs4.0.9-1) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2025-46653.patch b/debian/patches/CVE-2025-46653.patch new file mode 100644 index 0000000..573cacd --- /dev/null +++ b/debian/patches/CVE-2025-46653.patch @@ -0,0 +1,43 @@ +Description: Use crypto for a better randomness +Author: Yadd <y...@debian.org> +Bug: https://security-tracker.debian.org/tracker/CVE-2025-46653 +Bug-Debian: https://bugs.debian.org/1104246 +Forwarded: not-needed +Last-Update: 2025-07-21 + +--- a/src/Formidable.js ++++ b/src/Formidable.js +@@ -5,7 +5,7 @@ + import path from 'node:path'; + import { EventEmitter } from 'node:events'; + import { StringDecoder } from 'node:string_decoder'; +-import hexoid from 'hexoid'; ++import crypto from 'crypto'; + import once from 'once'; + import dezalgo from 'dezalgo'; + import { octetstream, querystring, multipart, json } from './plugins/index.js'; +@@ -16,7 +16,6 @@ + import * as errors from './FormidableError.js'; + import FormidableError from './FormidableError.js'; + +-const toHexoId = hexoid(25); + const DEFAULT_OPTIONS = { + maxFields: 1000, + maxFieldsSize: 20 * 1024 * 1024, +@@ -38,6 +37,16 @@ + filename: undefined, + }; + ++const toHexoId = (length = 40) => { ++ const charset = 'abcdefghijklmnopqrstuvwxyz0123456789'; ++ const bytes = crypto.randomBytes(length); ++ let result = ''; ++ for (let i = 0; i < length; i++) { ++ result += charset[bytes[i] % charset.length]; ++ } ++ return result; ++}; ++ + function hasOwnProp(obj, key) { + return Object.prototype.hasOwnProperty.call(obj, key); + } diff --git a/debian/patches/series b/debian/patches/series index 2800d40..f43a21c 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ export-cjs-files.patch +CVE-2025-46653.patch