Formidable <3.2.4 Arbitrary File Upload Critical Severity

[domcorso-nib]

When running npm audit report we are seeing a critical vulnerability due to the version of formidable being used.

I've seen previous issues such as #1725 which indicate that it has been revoked but I can see it on the GitHub database last updated a few hours ago:
GHSA-8cp3-66vr-3r4c

Are there any plans to upgrade to the latest version of formidable?

[shivam178]

Same. Dependabot has raised a critical security alert for us. Formidable should be upgraded soon.

Dependabot cannot update formidable to a non-vulnerable version
The latest possible version that can be installed is 2.1.2 
The earliest fixed version is 3.2.4.

[lukewang2018]

It's the same issue for me. any plan to fix it? Thanks.

# npm audit report

formidable  <3.2.4
Severity: critical
Formidable arbitrary file upload - https://github.com/advisories/GHSA-8cp3-66vr-3r4c
No fix available
node_modules/formidable
  superagent  >=0.4.0
  Depends on vulnerable versions of formidable

[un4ckn0wl3z]

Same here.

[kasparfalkenberg]

There was a PR to update formidable to latest (3.5.1). Why was it closed?

[kudlav]

Older issue: #1781

[kasparfalkenberg]

@kudlav so it's the node js version issue? As the esm shouldn't be a problem anymore

[tomstrong64]

formidable v3 changed to ES modules, the breaking change is in the parser callback params. files now returns an array instead of an object regardless of how many files are uploaded. Writing a fix now
formidable v2

formidable v3

[Yehonal]

I'm using audit-ci in my pipeline and the npm audit fix --force is not able to fix this issue. So I was wondering: what do you guys use in this case if you have audit checks in your CI/CD? can the "overrides" option from the npm package.json be a solution or there's no better way than temporarily allow it in the audit-ci tool?