DEBIAN-CVE-2025-46653
- Source
- https://security-tracker.debian.org/tracker/CVE-2025-46653
- Import Source
- https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2025-46653.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2025-46653
- Upstream
- Published
- 2025-04-26T21:15:14Z
- Modified
- 2025-10-18T09:31:38.633259Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Formidable (aka node-formidable) 2.1.0 through 3.x before 3.5.3 relies on hexoid to prevent guessing of filenames for untrusted executable content; however, hexoid is documented as not "cryptographically secure." (Also, there is a scenario in which only the last two characters of a hexoid string need to be guessed, but this is not often relevant.) NOTE: this does not imply that, in a typical use case, attackers will be able to exploit any hexoid behavior to upload and execute their own content.
- References
Affected packages
Debian:11 / node-formidable
Package
- Name
- node-formidable
- Purl
- pkg:deb/debian/node-formidable?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
1.*
1.2.1+20200129git8231ea6-1
1.2.1+20200129git8231ea6-2
3.*
3.2.1+20220105git2815e91+~cs4.0.6-1
3.2.1+20220105git2815e91+~cs4.0.6-2
3.2.1+20220105git2815e91+~cs4.0.6-3
3.2.1+20220105git2815e91+~cs4.0.6-4
3.2.3+20220426git971e3a7+~cs4.0.8-1
3.2.4+20220519git81dd350+~cs4.0.9-1
3.2.4+20220822gitd285a08+~cs4.0.9-1
3.2.5+20221017git493ec88+~cs4.0.9-1
Debian:12 / node-formidable
Package
- Name
- node-formidable
- Purl
- pkg:deb/debian/node-formidable?arch=source
Debian:13 / node-formidable
Package
- Name
- node-formidable
- Purl
- pkg:deb/debian/node-formidable?arch=source
Debian:14 / node-formidable
Package
- Name
- node-formidable
- Purl
- pkg:deb/debian/node-formidable?arch=source