Formidable relies on hexoid to prevent guessing of filenames for untrusted executable content

[orenBerko]

Checklist

• I have looked into the Readme and Examples, and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Description

i got this on Dependabot alert:
Package
Affected versions
Patched version
formidable
(npm)

= 2.1.0, < 2.1.3
None

Formidable (aka node-formidable) 2.1.0 through 3.x before 3.5.3 relies on hexoid to prevent guessing of filenames for untrusted executable content; however, hexoid is documented as not "cryptographically secure." (Also, there is a scenario in which only the last two characters of a hexoid string need to be guessed, but this is not often relevant.) NOTE: this does not imply that, in a typical use case, attackers will be able to exploit any hexoid behavior to upload and execute their own content.

Reproduction

check in Dependabot alerts

Additional context

No response

Lock version

13.0.0

Which browsers have you tested in?

Chrome

[ankita10119]

@orenBerko

Thanks for reporting this! This vulnerability has already been fixed.

The formidable package was updated to version 3.5.4 when we upgraded auth0-js to 9.29.0 back in October. Anyone using auth0-lock v14.2.3 or later is protected.

Closing this as resolved. Thanks again for raising this issue.