Skip to content

fix(node-formidable): CVE-2025-46653#2

Merged
Zeno-sole merged 1 commit intomasterfrom
fix/CVE-2025-46653
May 7, 2026
Merged

fix(node-formidable): CVE-2025-46653#2
Zeno-sole merged 1 commit intomasterfrom
fix/CVE-2025-46653

Conversation

@deepin-ci-robot
Copy link
Copy Markdown
Contributor

@deepin-ci-robot deepin-ci-robot commented May 7, 2026
edited
Loading

CVE 修复

CVE ID: CVE-2025-46653

漏洞描述: 使用不安全的 hexoid 生成文件名,可能导致文件名可预测。

修复方案: 使用 Node.js 内置 crypto.randomBytes() 替代不安全的 hexoid

受影响版本: 2.0.0 ~ 3.5.2 (before 3.5.3)

当前版本: 3.2.5

验证状态: ✅ quilt 验证通过

Fix-Approach: local adaptation
Generated by: CVE-Fixer Agent
Co-Authored-By: hudeng hudeng@deepin.org

@deepin-ci-robot
Copy link
Copy Markdown
Contributor Author

deepin-ci-robot commented May 7, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign qaqland for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 7, 2026
edited
Loading

TAG Bot

TAG: 3.2.5+20221017git493ec88+_cs4.0.9-1deepin1
EXISTED: no
DISTRIBUTION: unstable

@hudeng-go
Copy link
Copy Markdown
Contributor

hudeng-go commented May 7, 2026

/integrate

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 7, 2026

AutoIntegrationPr Bot
auto integrate with pr url: deepin-community/Repository-Integration#3931
PrNumber: 3931
PrBranch: auto-integration-25479124556

@deepin-community-ci-bot deepin-community-ci-bot Bot mentioned this pull request May 7, 2026
Open
@Zeno-sole
Copy link
Copy Markdown

Zeno-sole commented May 7, 2026

/integrate

@deepin-ci-robot deepin-ci-robot force-pushed the fix/CVE-2025-46653 branch 2 times, most recently from a2a6471 to f182a82 Compare May 7, 2026 07:35
@deepin-ci-robot @hudeng-go
fix(node-formidable): CVE-2025-46653
f6cffda 
Use crypto.randomBytes instead of hexoid for secure random filename
generation. hexoid is not cryptographically secure and may lead to
predictable filenames.

Upstream-Reference: node-formidable/formidable@022c2c5
Fix-Approach: local adaptation

Note: Upstream fix requires @paralleldrive/cuid2 dependency which is
not packaged in deepin/Debian. This patch uses crypto.randomBytes as
a secure local alternative that provides similar security guarantees
without introducing new dependencies.

Generated-By: glm-5.1
Co-Authored-By: hudeng <hudeng@deepin.org>
@hudeng-go
Copy link
Copy Markdown
Contributor

hudeng-go commented May 7, 2026

/integrate

@Zeno-sole Zeno-sole merged commit 846e14c into master May 7, 2026
8 of 9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chenchongbiao chenchongbiao Awaiting requested review from chenchongbiao

@myml myml Awaiting requested review from myml

Assignees

No one assigned

Labels

cve generated-by-ai

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@deepin-ci-robot @hudeng-go @Zeno-sole