VYPR

npm package

formidable

pkg:npm/formidable

Vulnerabilities (2)

  • CVE-2025-46653LowApr 26, 2025
    affected >= 3.1.1-canary.20211030, < 3.5.3fixed 3.5.3

    Formidable (aka node-formidable) 2.1.0 through 3.x before 3.5.3 relies on hexoid to prevent guessing of filenames for untrusted executable content; however, hexoid is documented as not "cryptographically secure." (Also, there is a scenario in which only the last two characters of

  • CVE-2022-29622May 16, 2022
    affected < 3.2.4fixed 3.2.4

    An arbitrary file upload vulnerability in formidable v3.1.4 allows attackers to execute arbitrary code via a crafted filename. NOTE: some third parties dispute this issue because the product has common use cases in which uploading arbitrary files is the desired behavior. Also, th