CVE-2025-46653: 
JavaScript vulnerability analysis and mitigation

Formidable (aka node-formidable) versions 2.1.0 through 3.x before 3.5.3 contains a security vulnerability related to filename generation. The package relies on hexoid for generating filenames for untrusted executable content, but hexoid is documented as not being cryptographically secure. Additionally, there exists a scenario where only the last two characters of a hexoid string need to be guessed, though this is typically not relevant in most cases (NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 3.1 (LOW) with the following vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N. The issue is classified under CWE-338 (Use of Cryptographically Weak Pseudo-Random Number Generator). The vulnerability stems from the use of hexoid for filename generation, which is not cryptographically secure (NVD).

The impact of this vulnerability is considered low. While the vulnerability exists in the filename generation mechanism, it's important to note that in typical use cases, attackers will not be able to exploit the hexoid behavior to upload and execute their own content (NVD).

The vulnerability has been patched in version 3.5.3 of Formidable. The fix involves switching from hexoid to cuid2 (using the @paralleldrive/cuid2 package) for generating random names, which provides better randomness and improved security while maintaining the 25-character length (Formidable Changelog).