Formidable <3.2.4 Arbitrary File Upload Critical Severity #1799
Comments
|
Same. Dependabot has raised a critical security alert for us. Formidable should be upgraded soon. |
|
It's the same issue for me. any plan to fix it? Thanks. |
|
Same here. |
|
There was a PR to update formidable to latest (3.5.1). Why was it closed? |
|
Older issue: #1781 |
|
@kudlav so it's the node js version issue? As the esm shouldn't be a problem anymore |
|
formidable v3 changed to ES modules, the breaking change is in the parser callback params. |
|
I'm using audit-ci in my pipeline and the |
|
Difference between test results before update and after update Just trying to figure out a safe and reliable way to map the new result format |
|
Working with http2 but getting timeouts with http1 |
|
Remaining issues with http1 when using formidable v3:
|
Struggling to make any progress. Can someone pull my changes and have a look? |
|
the fix would be to clone this library, create your own with an updated formidable package version... |
the npm override is a functional temporary fix if you're not using the formidable dep. "overrides": {
"superagent": {
"formidable": "3.2.5"
}
}, |
I would like to warn you that |
I am the author of URL: From there, you can see the GitHub advisory ID. In this case, you can also find a link to the GitHub advisory itself. You can view the advisory directly: GHSA-8cp3-66vr-3r4c |
If someone will face issue regarding ES module here is the config snippet for jest "transform": {
"\\.[jt]sx?$": "babel-jest"
},
"transformIgnorePatterns": [
"node_modules/(?!(formidable)/)"
] |
|
Thanks for the quick turnaround 🙏 |
|
Hey guys, we use a few packages that are still using v8 of superagent, ie: supertest and json-refs. I am not sure how soon they will be updated to v9... in the meantime would be possible to get a point update under v8? I know this issue is closed, should I create a new issue? edit: edit: I'm going to stop using json-refs that package is stale, so... nevermind regarding v7 thanks. |
|
It looks like the GitHub Action test run fails silently on the same |
Looking into this again now, I think the it may be an issue in Console errors to see where the code is getting to: Results are the same given 5 or 20 seconds: Errors given at end of tests: For |
|
Unfortunately I don't have time today to have a look into the changes in formidable, but for anyone who wants to investigate this, here's the code for the old and new versions of the parser (I couldn't find 2.1.2 but found 2.1.1): 2.1.1: https://github.com/node-formidable/formidable/blob/v2-latest/src/parsers/Multipart.js |
I'm having more of a look again, but also will have to stop at some point. 🤞 |
|
I couldn't help myself, but to have a quick look haha, I will hopefully come back to it later if no one has figured it out. But adding Example of the failing tests with http1: Example of passing tests with http2: |
|
Same here... |
|
Just another quick update.
|
|
In this code snippet below, in
Here is also a comparison of the headers: Hope this info helps! |
|
I am more clueless than I was before, I haven't made any code changes but ran the tests again and this time the second failing test received the "data" event and got the data from the last field attached... |
|
The advisory was withdrawn again |
When running
npm audit reportwe are seeing a critical vulnerability due to the version offormidablebeing used.I've seen previous issues such as #1725 which indicate that it has been revoked but I can see it on the GitHub database last updated a few hours ago:
GHSA-8cp3-66vr-3r4c
Are there any plans to upgrade to the latest version of
formidable?The text was updated successfully, but these errors were encountered: