Description

Formidable (aka node-formidable) 2.1.0 through 3.x before 3.5.3 relies on hexoid to prevent guessing of filenames for untrusted executable content; however, hexoid is documented as not "cryptographically secure." (Also, there is a scenario in which only the last two characters of a hexoid string need to be guessed, but this is not often relevant.) NOTE: this does not imply that, in a typical use case, attackers will be able to exploit any hexoid behavior to upload and execute their own content.

INFO

Published Date :

2025-04-26T00:00:00.000Z

Last Modified :

2025-04-29T15:22:37.440Z

Source :

mitre
AFFECTED PRODUCTS

The following products are affected by CVE-2025-46653 vulnerability.

Vendors Products
Node-formidable
  • Formidable
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-46653.

URL Resource
https://github.com/node-formidable/formidable/blob/d0fbec13edc8add54a1afb9ce1a8d3db803f8d47/CHANGELOG.md?plain=1#L10 cve-icon cve-icon cve-icon
https://github.com/node-formidable/formidable/commit/022c2c5577dfe14d2947f10909d81b03b6070bf5 cve-icon cve-icon cve-icon
https://github.com/zast-ai/vulnerability-reports/blob/main/formidable/file_upload/report.md cve-icon cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-46653 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-46653 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact