Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NOTICE: Formidable Vulnerability is NOT valid #20189

Open
derrickmehaffy opened this issue Apr 23, 2024 · 1 comment
Open

NOTICE: Formidable Vulnerability is NOT valid #20189

derrickmehaffy opened this issue Apr 23, 2024 · 1 comment
Assignees
@derrickmehaffy
Labels
flag: notice This flag is used for announcement issues

Comments

@derrickmehaffy
Copy link
Member

derrickmehaffy commented Apr 23, 2024
edited

Since we have seen an uptick in users submitting vulnerability reports and improperly reporting the issue (in violation of our Security Policy) via GitHub issues I am creating this notice to add some clarification.

Several points related to this:

  • Strapi is not vulnerable to this as it was always intended by Formidable that applications are responsible to properly handle file names as Formidable is a very low level library -> We do our own sanitation as it was intended
  • This vulnerability should have never been considered valid to begin with and was requested to removed from the MITRE/NVD databases
  • Snyk has already removed it as an invalid vulnerability

References:

At this time, we Strapi, have no plans to modify dependencies to "resolve" this vulnerability as it should be removed from the various vulnerabilities databases in due time for being invalid.

Any issues or vulnerability reports opened with regards to this package will be immediately closed and locked. If you have questions or concerns about this decision you can comment below or reach out to the Strapi Security Team via security@strapi.io.
@derrickmehaffy derrickmehaffy added the flag: notice This flag is used for announcement issues label Apr 23, 2024
@derrickmehaffy derrickmehaffy self-assigned this Apr 23, 2024
@derrickmehaffy derrickmehaffy pinned this issue Apr 23, 2024
@derrickmehaffy derrickmehaffy changed the title Notice: Formidable Vulnerability is NOT valid NOTICE: Formidable Vulnerability is NOT valid Apr 23, 2024
@derrickmehaffy derrickmehaffy mentioned this issue Apr 23, 2024
Closed
@derrickmehaffy
Copy link
Member Author

As an update to this the GitHub advisory was revoked today as well: GHSA-8cp3-66vr-3r4c

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@derrickmehaffy derrickmehaffy

Labels
flag: notice This flag is used for announcement issues
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@derrickmehaffy