-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Arbitrary File Upload in formidable versions <3.2.4 #1725
Comments
Do you have an estimate on when this might be fixed (by adopting formidable 3.2.4)? |
Please file a request or submit a PR in formidable for the vulnerability fix to be backported to v2.x tag of formidable, the non-ESM version, as it should be backported for community CJS support. Ref: |
Looks like Formidable will not be backporting a fix and they recommend to upgrade to v3 as "the codebase between v3 and v2 is almost the same". |
We are going to wait until they release a new version with both CJS and ESM support (as @tunnckoCore has shared they plan to do). The vulnerability is not as severe as everyone is making it out to be. Please read the CVE completely. |
Also, if someone PR to the v2 branch (master is v3), with the changes and my recent comments from this PR node-formidable/formidable#857 we can land v2 patch version sooner than the v3 cjs/esm thing. My comment on 856, was befote seeing this pr. |
@tunnckoCore we can gladly award a bug bounty over PayPal if you're able to do this quicker than we can - a bit tied up at the moment! |
I can try in the next few hours, or ultimately next 2-3 days. |
@tunnckoCore np 😄 you rock 🤘 Also we've had a lot of success using np for releases (and generating nice release pages) (it doesn't auto-add to the CHANGELOG.md though, maybe you can use generate-changelog separately or deprecate the CHANGELOG.md in favor of Releases tab; which I've seen a lot of projects doing lately). Hard to maintain both let alone the code! |
Yea.. There are plans to switching to monorepo for quite some time, and I'm curious to try Nrwl's Nx + Lerna. Ultimately release v3 & v4 to latest soon, and drop and deprecate all olders versions altogether, because v2 is already 1 and a half years old, many should already switched. Turns out managing multiple parallel versions on an old codebase (since node 0.6-8), millions of downloads, and team of two.. isn't working well haha.. |
The advisory has been revoked https://security.snyk.io/vuln/SNYK-JS-FORMIDABLE-2838956. |
🚀 v9.0.0 released to npm 🚀 https://github.com/ladjs/superagent/releases/tag/v9.0.0 ref: #1800 Forward Email |
Snyk has detected a critical level vulnerability in formidable versions <3.2.4. The vulnerability allows attackers to execute arbitrary code via a crafted filename.
https://security.snyk.io/vuln/SNYK-JS-FORMIDABLE-2838956
superagent is currently compatible with version 2.0.1
The text was updated successfully, but these errors were encountered: