-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Formidable <3.2.4 Arbitrary File Upload Critical Severity #1799
Comments
Same. Dependabot has raised a critical security alert for us. Formidable should be upgraded soon.
|
It's the same issue for me. any plan to fix it? Thanks.
|
There was a PR to update formidable to latest (3.5.1). Why was it closed? |
Older issue: #1781 |
@kudlav so it's the node js version issue? As the esm shouldn't be a problem anymore |
I'm using audit-ci in my pipeline and the |
Working with http2 but getting timeouts with http1 |
Remaining issues with http1 when using formidable v3:
|
Struggling to make any progress. Can someone pull my changes and have a look? |
the fix would be to clone this library, create your own with an updated formidable package version... |
the npm override is a functional temporary fix if you're not using the formidable dep. "overrides": {
"superagent": {
"formidable": "3.2.5"
}
}, |
I would like to warn you that |
I am the author of URL: From there, you can see the GitHub advisory ID. In this case, you can also find a link to the GitHub advisory itself. You can view the advisory directly: GHSA-8cp3-66vr-3r4c |
If someone will face issue regarding ES module here is the config snippet for jest "transform": {
"\\.[jt]sx?$": "babel-jest"
},
"transformIgnorePatterns": [
"node_modules/(?!(formidable)/)"
] |
Thanks for the quick turnaround 🙏 |
Hey guys, we use a few packages that are still using v8 of superagent, ie: supertest and json-refs. I am not sure how soon they will be updated to v9... in the meantime would be possible to get a point update under v8? I know this issue is closed, should I create a new issue? edit:
edit: I'm going to stop using json-refs that package is stale, so... nevermind regarding v7 thanks. |
It looks like the GitHub Action test run fails silently on the same |
Looking into this again now, I think the it may be an issue in Console errors to see where the code is getting to: Results are the same given 5 or 20 seconds: For |
Unfortunately I don't have time today to have a look into the changes in formidable, but for anyone who wants to investigate this, here's the code for the old and new versions of the parser (I couldn't find 2.1.2 but found 2.1.1): 2.1.1: https://github.com/node-formidable/formidable/blob/v2-latest/src/parsers/Multipart.js |
I'm having more of a look again, but also will have to stop at some point. 🤞 |
I couldn't help myself, but to have a quick look haha, I will hopefully come back to it later if no one has figured it out. But adding |
Same here... |
I am more clueless than I was before, I haven't made any code changes but ran the tests again and this time the second failing test received the "data" event and got the data from the last field attached... |
The advisory was withdrawn again |
When running
npm audit report
we are seeing a critical vulnerability due to the version offormidable
being used.I've seen previous issues such as #1725 which indicate that it has been revoked but I can see it on the GitHub database last updated a few hours ago:
GHSA-8cp3-66vr-3r4c
Are there any plans to upgrade to the latest version of
formidable
?The text was updated successfully, but these errors were encountered: