Vulnerabilities

 1 via 1 paths

Dependencies

 6

Source

 npm
Find a vulnerability free version of formidable | View formidable package health on Snyk Advisor

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Severity
  • 1
Status
  • 1
  • 0
  • 0

critical severity
new

Arbitrary File Upload

  • Vulnerable module: formidable
  • Introduced through: formidable@2.0.1

Detailed paths

  • Introduced through: formidable@2.0.1
    Remediation: Upgrade to formidable@3.2.4.

Overview

Affected versions of this package are vulnerable to Arbitrary File Upload which allows attackers to execute arbitrary code via a crafted filename.

Note:

The conditions to be vulnerable are as follows:

  1. eval (user input) file name as code

  2. use the keepextension option

  3. use Linux or =iOS (where <>` are valid file chars)

  4. not using the filename option, or using it without validating user input

    Remediation

    Upgrade formidable to version 3.2.4 or higher.

    References

Arbitrary File Upload vulnerability report