NOTICE: Formidable Vulnerability is NOT valid

Since we have seen an uptick in users submitting vulnerability reports and improperly reporting the issue (in violation of our Security Policy) via GitHub issues I am creating this notice to add some clarification.

Several points related to this:

Strapi is not vulnerable to this as it was always intended by Formidable that applications are responsible to properly handle file names as Formidable is a very low level library -> We do our own sanitation as it was intended
This vulnerability should have never been considered valid to begin with and was requested to removed from the MITRE/NVD databases
Snyk has already removed it as an invalid vulnerability

References:

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-29622
Original issue from Formidable GH back in June 2022: https://github.com/node-formidable/formidable/issues/856
Second issue from Formidable GH back in July 2022: https://github.com/node-formidable/formidable/issues/862
Snyk database: https://security.snyk.io/vuln/SNYK-JS-FORMIDABLE-2838956
Related reference from another project discussing this: https://github.com/jhuckaby/pixl-server-web/issues/4
Another reference from another project discussing this: https://github.com/opensearch-project/OpenSearch-Dashboards/issues/1593
Detailed breakdown of this "false" vulnerability report: https://gitlab.com/keymandll/blog/-/blob/master/posts/03062022-Invulnerability_Analysis-CVE-2022%E2%80%9329622/index.md

At this time, we Strapi, have no plans to modify dependencies to "resolve" this vulnerability as it should be removed from the various vulnerabilities databases in due time for being invalid.

Any issues or vulnerability reports opened with regards to this package will be immediately closed and locked. If you have questions or concerns about this decision you can comment below or reach out to the Strapi Security Team via security@strapi.io.

strapi / strapi

NOTICE: Formidable Vulnerability is NOT valid #20189