Arbitrary File Upload in formidable versions <3.2.4

[SimonEspositoTG]

Snyk has detected a critical level vulnerability in formidable versions <3.2.4. The vulnerability allows attackers to execute arbitrary code via a crafted filename.

https://security.snyk.io/vuln/SNYK-JS-FORMIDABLE-2838956

superagent is currently compatible with version 2.0.1

[ejodet]

Do you have an estimate on when this might be fixed (by adopting formidable 3.2.4)?

[titanism]

Please file a request or submit a PR in formidable for the vulnerability fix to be backported to v2.x tag of formidable, the non-ESM version, as it should be backported for community CJS support.

Ref:

• node-formidable/formidable@81dd350
• [Snyk] Security upgrade formidable from 2.0.1 to 3.2.4 #1724
• Found CVE-2022-29622 in one of your dependent library- superagent supertest#780
• Arbitrary File Upload in formidable versions <3.2.4 #1725

Looks like Formidable will not be backporting a fix and they recommend to upgrade to v3 as "the codebase between v3 and v2 is almost the same".
node-formidable/formidable#856 (comment)

[titanism]

We are going to wait until they release a new version with both CJS and ESM support (as @tunnckoCore has shared they plan to do). The vulnerability is not as severe as everyone is making it out to be. Please read the CVE completely.

[tunnckoCore]

Check this too https://medium.com/@zsolt.imre/cve-2022-29622-in-vulnerability-analysis-5cf783c3721

[tunnckoCore]

Also, if someone PR to the v2 branch (master is v3), with the changes and my recent comments from this PR node-formidable/formidable#857 we can land v2 patch version sooner than the v3 cjs/esm thing.

My comment on 856, was befote seeing this pr.

[titanism]

@tunnckoCore we can gladly award a bug bounty over PayPal if you're able to do this quicker than we can - a bit tied up at the moment!

[tunnckoCore]

I can try in the next few hours, or ultimately next 2-3 days.

[titanism]

@tunnckoCore np 😄 you rock 🤘

Also we've had a lot of success using np for releases (and generating nice release pages) (it doesn't auto-add to the CHANGELOG.md though, maybe you can use generate-changelog separately or deprecate the CHANGELOG.md in favor of Releases tab; which I've seen a lot of projects doing lately). Hard to maintain both let alone the code!

[tunnckoCore]

Yea.. There are plans to switching to monorepo for quite some time, and I'm curious to try Nrwl's Nx + Lerna.

Ultimately release v3 & v4 to latest soon, and drop and deprecate all olders versions altogether, because v2 is already 1 and a half years old, many should already switched.

Turns out managing multiple parallel versions on an old codebase (since node 0.6-8), millions of downloads, and team of two.. isn't working well haha..