Primary

Context

Formidable Filename Guessing Vulnerability via Insecure Hexoid Randomization

Vulnerability

Patched

A vulnerability exists in Formidable (node-formidable) versions 2.1.0 through 3.x prior to 3.5.3, related to the handling of filenames for untrusted executable content. The library relied on hexoid for filename randomization, but hexoid is not considered cryptographically secure. In certain scenarios, only the last two characters of a hexoid string may need to be guessed, although this is rarely applicable.

Impact

Exploitation could lead to untrusted executable content being uploaded and potentially executed, although this behavior is not commonly expected.

Remediation

Users can update to Formidable version 3.5.3 or later, where this vulnerability has been addressed by switching the randomization method from hexoid to cuid2, using the '@paralleldrive/cuid2' package for improved security.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

10.0

exploitability

4.0

remediation

7.7

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

10.0

exploitability

4.0

remediation

7.7

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Formidable Filename Guessing Vulnerability via Insecure Hexoid Randomization

Vulnerability

Impact

Remediation

Affected Products

node-formidable

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating