CVE-2025-46653

low-risk
Published 2025-04-26

Formidable (aka node-formidable) 2.1.0 through 3.x before 3.5.3 relies on hexoid to prevent guessing of filenames for untrusted executable content; however, hexoid is documented as not "cryptographically secure." (Also, there is a scenario in which only the last two characters of a hexoid string need to be guessed, but this is not often relevant.) NOTE: this does not imply that, in a typical use case, attackers will be able to exploit any hexoid behavior to upload and execute their own content.

Do I need to act?

-
0.07% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
3
CVSS 3.1/10 Low
NETWORK / HIGH complexity

Affected Products (1)

Formidable

Affected Vendors

Node-Formidable

References (4)

Product https://github.com/node-formidable/formidable/blob/d0fbec13edc8add54a1afb9ce1a8d...
Patch https://github.com/node-formidable/formidable/commit/022c2c5577dfe14d2947f10909d...
Exploit https://github.com/zast-ai/vulnerability-reports/blob/main/formidable/file_uploa...
Exploit https://github.com/zast-ai/vulnerability-reports/blob/main/formidable/file_uploa...
16
/ 100
low-risk
Severity 11/34 · Low
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal