CVE-2022-29622: 
Linux Debian vulnerability analysis and mitigation

CVE-2022-29622 is an arbitrary file upload vulnerability discovered in formidable v3.1.4, a Node.js module for parsing form data. The vulnerability was disclosed on May 16, 2022. The vulnerability allows attackers to execute arbitrary code via a crafted filename (NVD).

The vulnerability stems from inappropriate filename handling and filtering in the formidable package. The issue relates to how the package processes filenames in form uploads, where the original implementation assumed that applications would handle filename sanitization themselves, as formidable is a low-level library (Strapi Issue). The vulnerability received a CVSS score of 9.8, indicating critical severity (CERT-FR).

If exploited, the vulnerability could potentially allow attackers to execute arbitrary code through specially crafted filenames in file uploads. However, it's worth noting that the actual impact depends on how the application implements and uses the formidable package (Strapi Issue).

While initially reported as a security issue, the formidable maintainers have clarified that proper filename handling should be implemented at the application level, as formidable is a low-level library. Applications using formidable should implement their own filename sanitization measures appropriate to their specific use case (Formidable Issue).

The security community has had mixed reactions to this vulnerability. Several organizations, including Snyk, have removed this from their vulnerability databases, considering it invalid. The consensus appears to be that this should not have been classified as a vulnerability in the first place, as it was always intended that applications would handle filename sanitization (Strapi Issue).