Skip to content

Formidable relies on hexoid to prevent guessing of filenames for untrusted executable content #2605

New issue
New issue
Open
Open
Formidable relies on hexoid to prevent guessing of filenames for untrusted executable content#2605
Labels
bugThis points to a verified bug in the code
@orenBerko

Description

@orenBerko
orenBerko
opened on May 4, 2025

Checklist

  • I have looked into the Readme and Examples, and have not found a suitable solution or answer.
  • I have searched the issues and have not found a suitable solution or answer.
  • I have searched the Auth0 Community forums and have not found a suitable solution or answer.
  • I agree to the terms within the Auth0 Code of Conduct.

Description

i got this on Dependabot alert:
Package
Affected versions
Patched version
formidable
(npm)

= 2.1.0, < 2.1.3
None

Formidable (aka node-formidable) 2.1.0 through 3.x before 3.5.3 relies on hexoid to prevent guessing of filenames for untrusted executable content; however, hexoid is documented as not "cryptographically secure." (Also, there is a scenario in which only the last two characters of a hexoid string need to be guessed, but this is not often relevant.) NOTE: this does not imply that, in a typical use case, attackers will be able to exploit any hexoid behavior to upload and execute their own content.

Reproduction

check in Dependabot alerts

Additional context

No response

Lock version

13.0.0

Which browsers have you tested in?

Chrome

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugThis points to a verified bug in the code

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions