We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-46653



Description

Formidable (aka node-formidable) 2.1.0 through 3.x before 3.5.3 relies on hexoid to prevent guessing of filenames for untrusted executable content; however, hexoid is documented as not "cryptographically secure." (Also, there is a scenario in which only the last two characters of a hexoid string need to be guessed, but this is not often relevant.) NOTE: this does not imply that, in a typical use case, attackers will be able to exploit any hexoid behavior to upload and execute their own content.

Reserved 2025-04-26 | Published 2025-04-26 | Updated 2025-04-29 | Assigner mitre


LOW: 3.1CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Problem types

CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

Product status

Default status
unaffected

2.1.0 before 3.5.3
affected

References

github.com/...rts/blob/main/formidable/file_upload/report.md

github.com/...54a1afb9ce1a8d3db803f8d47/CHANGELOG.md?plain=1

github.com/...ommit/022c2c5577dfe14d2947f10909d81b03b6070bf5

cve.org (CVE-2025-46653)

nvd.nist.gov (CVE-2025-46653)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-46653

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.