Closed
Description
Since we have seen an uptick in users submitting vulnerability reports and improperly reporting the issue (in violation of our Security Policy) via GitHub issues I am creating this notice to add some clarification.
Several points related to this:
- Strapi is not vulnerable to this as it was always intended by Formidable that applications are responsible to properly handle file names as Formidable is a very low level library -> We do our own sanitation as it was intended
- This vulnerability should have never been considered valid to begin with and was requested to removed from the MITRE/NVD databases
- Snyk has already removed it as an invalid vulnerability
References:
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-29622
- Original issue from Formidable GH back in June 2022: Vulnerability CVE-2022-29622 is reported by Whitesource node-formidable/formidable#856
- Second issue from Formidable GH back in July 2022: Filename filtering is inappropriate node-formidable/formidable#862
- Snyk database: https://security.snyk.io/vuln/SNYK-JS-FORMIDABLE-2838956
- Related reference from another project discussing this: Formidable CVE jhuckaby/pixl-server-web#4
- Another reference from another project discussing this: CVE-2022-29622 (High) detected in formidable-2.0.1.tgz - autoclosed opensearch-project/OpenSearch-Dashboards#1593
- Detailed breakdown of this "false" vulnerability report: https://gitlab.com/keymandll/blog/-/blob/master/posts/03062022-Invulnerability_Analysis-CVE-2022%E2%80%9329622/index.md
At this time, we Strapi, have no plans to modify dependencies to "resolve" this vulnerability as it should be removed from the various vulnerabilities databases in due time for being invalid.
Any issues or vulnerability reports opened with regards to this package will be immediately closed and locked. If you have questions or concerns about this decision you can comment below or reach out to the Strapi Security Team via security@strapi.io.