logo

Database

Insecure generation of random numbers In node-formidable

Description

Formidable relies on hexoid to prevent guessing of filenames for untrusted executable content Formidable (aka node-formidable) 2.x before 2.1.3 and 3.x before 3.5.3 relies on hexoid to prevent guessing of filenames for untrusted executable content; however, hexoid is documented as not "cryptographically secure." (Also, there is a scenario in which only the last two characters of a hexoid string need to be guessed, but this is not often relevant.) NOTE: this does not imply that, in a typical use case, attackers will be able to exploit any hexoid behavior to upload and execute their own content.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

1-10 of 19

10

Aliases

1. CVE-2025-466532. NVD-2025-466533. OSV-DEBIAN-2025-466534. OSV-2025-466535. GCVE-2025-466536. SECURITY-TRACKER-CVE-2025-46653

References

1. https://github.com/node-formidable/formidable/commit/022c2c5577dfe14d2947f10909d81b03b6070bf52. https://github.com/node-formidable/formidable/commit/37a3e89fca1ed68ec674a539f13aafd62221ddaa3. https://github.com/node-formidable/formidable/blob/d0fbec13edc8add54a1afb9ce1a8d3db803f8d47/CHANGELOG.md?plain=1#L104. https://github.com/zast-ai/vulnerability-reports/blob/main/formidable/file_upload/report.md5. https://www.npmjs.com/package/formidable/v/2.1.36. https://www.npmjs.com/package/formidable/v/3.5.3

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.