Vulnerabilities

1 via 1 paths

Dependencies

17

Source

npm

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
Status
  • 1
  • 0
  • 0

critical severity
new

Arbitrary File Upload

  • Vulnerable module: formidable
  • Introduced through: formidable@2.0.1

Detailed paths

  • Introduced through: vee-formidable@1.0.11 formidable@2.0.1
    Remediation: Upgrade to formidable@3.2.4.

Overview

Affected versions of this package are vulnerable to Arbitrary File Upload which allows attackers to execute arbitrary code via a crafted filename.

Note:

The conditions to be vulnerable are as follows:

  1. eval (user input) file name as code

  2. use the keepextension option

  3. use Linux or =iOS (where <>` are valid file chars)

  4. not using the filename option, or using it without validating user input

    Remediation

    Upgrade formidable to version 3.2.4 or higher.

    References