Hi,

upstream chose to add a new dependency to fix CVE-2025-46653. However I think using "crypto" module is enough to fix this potential lack of randomness. Since Trixie has been frozen, I propose this little patch to fix the issue without changing source (adding a component).

The proposed patch:
 - replaces hexoid (which uses Math.random) by built-in module "crypto"
 - increase id length from 25 characters to 40

If you think it's OK to fix the issue, I'll upload and put a unblock BTS.

Best regards,
Xavier
diff --git a/debian/changelog b/debian/changelog
index 48bd4c9..8d6ae4b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-formidable (3.2.5+20221017git493ec88+~cs4.0.9-2) unstable; urgency=medium
+
+  * Team upload
+  * Use "crypto" to have a better randomness
+    (Closes: #1104246, CVE-2025-46653)
+
+ -- Yadd <y...@debian.org>  Mon, 21 Jul 2025 15:22:39 +0200
+
 node-formidable (3.2.5+20221017git493ec88+~cs4.0.9-1) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2025-46653.patch 
b/debian/patches/CVE-2025-46653.patch
new file mode 100644
index 0000000..573cacd
--- /dev/null
+++ b/debian/patches/CVE-2025-46653.patch
@@ -0,0 +1,43 @@
+Description: Use crypto for a better randomness
+Author: Yadd <y...@debian.org>
+Bug: https://security-tracker.debian.org/tracker/CVE-2025-46653
+Bug-Debian: https://bugs.debian.org/1104246
+Forwarded: not-needed
+Last-Update: 2025-07-21
+
+--- a/src/Formidable.js
++++ b/src/Formidable.js
+@@ -5,7 +5,7 @@
+ import path from 'node:path';
+ import { EventEmitter } from 'node:events';
+ import { StringDecoder } from 'node:string_decoder';
+-import hexoid from 'hexoid';
++import crypto from 'crypto';
+ import once from 'once';
+ import dezalgo from 'dezalgo';
+ import { octetstream, querystring, multipart, json } from 
'./plugins/index.js';
+@@ -16,7 +16,6 @@
+ import * as errors from './FormidableError.js';
+ import FormidableError from './FormidableError.js';
+ 
+-const toHexoId = hexoid(25);
+ const DEFAULT_OPTIONS = {
+   maxFields: 1000,
+   maxFieldsSize: 20 * 1024 * 1024,
+@@ -38,6 +37,16 @@
+   filename: undefined,
+ };
+ 
++const toHexoId = (length = 40) => {
++  const charset = 'abcdefghijklmnopqrstuvwxyz0123456789';
++  const bytes = crypto.randomBytes(length);
++  let result = '';
++  for (let i = 0; i < length; i++) {
++    result += charset[bytes[i] % charset.length];
++  }
++  return result;
++};
++
+ function hasOwnProp(obj, key) {
+   return Object.prototype.hasOwnProperty.call(obj, key);
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 2800d40..f43a21c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 export-cjs-files.patch
+CVE-2025-46653.patch

Reply via email to