deepin-community · Zeno-sole · May 7, 2026 · May 7, 2026
diff --git a/debian/changelog b/debian/changelog
@@ -1,3 +1,11 @@
+node-formidable (3.2.5+20221017git493ec88+~cs4.0.9-1deepin1) unstable; urgency=medium
+
+  * Fix CVE-2025-46653: use crypto.randomBytes instead of hexoid for
+    secure random filename generation (local adaptation of upstream
+    fix).
+
+ -- deepin-ci-robot <packages@deepin.org>  Thu, 07 May 2026 15:47:34 +0800
+
 node-formidable (3.2.5+20221017git493ec88+~cs4.0.9-1) unstable; urgency=medium
 
   * Team upload

diff --git a/debian/patches/CVE-2025-46653.patch b/debian/patches/CVE-2025-46653.patch
@@ -0,0 +1,31 @@
+Index: node-formidable/src/Formidable.js
+===================================================================
+--- node-formidable.orig/src/Formidable.js
++++ node-formidable/src/Formidable.js
+@@ -5,7 +5,7 @@ import os from 'node:os';
+ import path from 'node:path';
+ import { EventEmitter } from 'node:events';
+ import { StringDecoder } from 'node:string_decoder';
+-import hexoid from 'hexoid';
++import { randomBytes } from 'node:crypto';
+ import once from 'once';
+ import dezalgo from 'dezalgo';
+ import { octetstream, querystring, multipart, json } from './plugins/index.js';
+@@ -16,7 +16,7 @@ import MultipartParser from './parsers/M
+ import * as errors from './FormidableError.js';
+ import FormidableError from './FormidableError.js';
+
+-const toHexoId = hexoid(25);
++const generateId = () => randomBytes(16).toString('hex').substring(0, 25);
+ const DEFAULT_OPTIONS = {
+   maxFields: 1000,
+   maxFieldsSize: 20 * 1024 * 1024,
+@@ -565,7 +565,7 @@ class IncomingForm extends EventEmitter
+       };
+     } else {
+       this._getNewName = (part) => {
+-        const name = toHexoId();
++        const name = generateId();
+
+         if (part && this.options.keepExtensions) {
+           const originalFilename =
diff --git a/debian/patches/series b/debian/patches/series
@@ -1 +1,2 @@
 export-cjs-files.patch
+CVE-2025-46653.patch