Formidable is a Node.js module used extensively for handling file uploads in web applications. Unfortunately, a high-severity vulnerability (CVE-2022-29622) has been discovered in the formidable v3.1.4 version. This vulnerability enables attackers to exploit the arbitrary file upload and execute malicious codes.

Please note that some third parties argue that this issue shouldn't be considered a vulnerability, as the product's primary use case is uploading arbitrary files. Furthermore, there are configuration options in all the versions of Formidable that can change the default file handling behavior. Despite these arguments, understanding and addressing this issue is crucial to maintaining the security of your applications.

In this post, we will discuss the details of CVE-2022-29622, provide code snippets to demonstrate the vulnerability, review the original security references, and present best practices to protect your applications from exploitation.

Vulnerability Details

The vulnerability in Formidable v3.1.4 allows attackers to upload arbitrary files to the server by crafting a specific filename. When an attacker uploads a file with a crafted filename, the application processes the file and executes the attacker's arbitrary code, potentially giving the attacker full control over the server. In addition to the potential for full compromise, this vulnerability can lead to denial of service, sensitive information disclosure, and other negative impacts.

To illustrate the issue, let's take a look at a simplified code snippet of a vulnerable file upload implementation with Formidable v3.1.4:

const formidable = require('formidable'),
      http = require('http'),
      util = require('util');

http.createServer(function(req, res) {
  if (req.url == '/upload' && req.method.toLowerCase() == 'post') {
    const form = new formidable.IncomingForm();

    form.parse(req, function(err, fields, files) {
      res.writeHead(200, {'content-type': 'text/plain'});
      res.write('Received Upload:\n\n');
      res.end(util.inspect({fields: fields, files: files}));

As you might notice, the code above doesn't include any security mechanisms to prevent the uploading of malicious files. An attacker could exploit this vulnerability by crafting a malicious file named evil.html, which contains arbitrary JavaScript code.

The attacker may submit the following HTML form to the target server

<form action=""; method="post" enctype="multipart/form-data">
  <input type="file" name="uploadedFile">
  <input type="submit" value="Upload">

Upon uploading the malicious file, the arbitrary code will be executed on the server-side, potentially compromising the target server.

1. NIST National Vulnerability Database: CVE-2022-29622
2. GitHub Advisory Database: CVE-2022-29622
3. Formidable GitHub Repository

Mitigation and Best Practices

Although uploading arbitrary files is the primary use of Formidable, applications should still implement security measures to protect against malicious uploads. The following best practices can enhance your application's security and mitigate the risk of exploitation:

1. Install the latest version of Formidable: Update your application's dependencies to the latest secure version of Formidable or use an alternative library that offers more secure file upload handling.

2. Strictly configure Formidable: Utilize Formidable's built-in configuration options to change the default behavior and restrict the types of files that users can upload.

3. Apply server-side validation: Implement server-side validation checks to whitelist or blacklist specific file extensions, MIME types, and other attributes that could indicate a malicious file.

4. Use sandboxing techniques: Store the uploaded files in isolated environments to prevent potential malicious code from accessing sensitive data or system resources.

5. Monitor and analyze user activity: Regularly monitor and analyze user activity and file uploads to detect unusual behaviors or suspicious files.

By implementing these best practices, you can minimize the impact of the CVE-2022-29622 vulnerability and protect your applications from malicious file uploads. While uploading arbitrary files is a common functionality, it's crucial to ensure your application's security and maintain trust with your users.


Published on: 05/16/2022 14:15:00 UTC
Last modified on: 06/02/2022 14:15:00 UTC