Arbitrary File Upload in formidable versions <3.2.4 #1725
Comments
|
Do you have an estimate on when this might be fixed (by adopting formidable 3.2.4)? |
|
Please file a request or submit a PR in formidable for the vulnerability fix to be backported to v2.x tag of formidable, the non-ESM version, as it should be backported for community CJS support. Ref: |
|
Looks like Formidable will not be backporting a fix and they recommend to upgrade to v3 as "the codebase between v3 and v2 is almost the same". |
|
We are going to wait until they release a new version with both CJS and ESM support (as @tunnckoCore has shared they plan to do). The vulnerability is not as severe as everyone is making it out to be. Please read the CVE completely. |
|
Also, if someone PR to the v2 branch (master is v3), with the changes and my recent comments from this PR node-formidable/formidable#857 we can land v2 patch version sooner than the v3 cjs/esm thing. My comment on 856, was befote seeing this pr. |
|
@tunnckoCore we can gladly award a bug bounty over PayPal if you're able to do this quicker than we can - a bit tied up at the moment! |
|
I can try in the next few hours, or ultimately next 2-3 days. |
|
@tunnckoCore np 😄 you rock 🤘 Also we've had a lot of success using np for releases (and generating nice release pages) (it doesn't auto-add to the CHANGELOG.md though, maybe you can use generate-changelog separately or deprecate the CHANGELOG.md in favor of Releases tab; which I've seen a lot of projects doing lately). Hard to maintain both let alone the code! |
|
Yea.. There are plans to switching to monorepo for quite some time, and I'm curious to try Nrwl's Nx + Lerna. Ultimately release v3 & v4 to latest soon, and drop and deprecate all olders versions altogether, because v2 is already 1 and a half years old, many should already switched. Turns out managing multiple parallel versions on an old codebase (since node 0.6-8), millions of downloads, and team of two.. isn't working well haha.. |
|
The advisory has been revoked https://security.snyk.io/vuln/SNYK-JS-FORMIDABLE-2838956. |
|
🚀 v9.0.0 released to npm 🚀 https://github.com/ladjs/superagent/releases/tag/v9.0.0 ref: #1800 Forward Email |
Snyk has detected a critical level vulnerability in formidable versions <3.2.4. The vulnerability allows attackers to execute arbitrary code via a crafted filename.
https://security.snyk.io/vuln/SNYK-JS-FORMIDABLE-2838956
superagent is currently compatible with version 2.0.1
The text was updated successfully, but these errors were encountered: