formidable — CVE history (npm)

formidable

2 CVEs affect the formidable npm package (highest CVSS 9.8). Latest disclosed: 2025-04-26. Full CVE history sourced from NVD.

Summary

Package
formidable (npm)
Total CVEs
2
Actively exploited (CISA KEV)
0
Highest CVSS
9.8
Latest disclosed
2025-04-26

Recent CVEs (top 2)

CVESeverityCVSSKEVPublishedSummary
CVE-2025-46653Low3.12025-04-26Formidable (aka node-formidable) 2.1.0 through 3.x before 3.5.3 relies on hexoid to prevent guessing of filenames for untrusted executable content; however, hexoid is documented as not "cryptographically secure." (Also, there is a scenario…
CVE-2022-29622Critical9.82022-05-16An arbitrary file upload vulnerability in formidable v3.1.4 allows attackers to execute arbitrary code via a crafted filename.

All-time worst (top 2 by CVSS)

CVESeverityCVSSKEVPublishedSummary
CVE-2022-29622Critical9.82022-05-16An arbitrary file upload vulnerability in formidable v3.1.4 allows attackers to execute arbitrary code via a crafted filename.
CVE-2025-46653Low3.12025-04-26Formidable (aka node-formidable) 2.1.0 through 3.x before 3.5.3 relies on hexoid to prevent guessing of filenames for untrusted executable content; however, hexoid is documented as not "cryptographically secure." (Also, there is a scenario…