CVE-2022-29622 Overview
CVE-2022-29622 is an arbitrary file upload vulnerability affecting Formidable v3.1.4, a popular Node.js library used for parsing form data, especially file uploads. This vulnerability allows attackers to execute arbitrary code via a crafted filename, potentially leading to complete system compromise.
It is important to note that this vulnerability is disputed by some third parties. The Formidable project argues that uploading arbitrary files is the intended behavior for common use cases, and configuration options exist in all versions to change the default file handling behavior. Additionally, Strapi has stated they do not consider this a valid vulnerability.
Critical Impact
Attackers can upload malicious files with crafted filenames to achieve arbitrary code execution on vulnerable Node.js applications using Formidable v3.1.4, potentially leading to complete server compromise.
Affected Products
- Formidable v3.1.4 for Node.js
- Applications using Formidable v3.1.4 with default file upload configurations
- Node.js web applications implementing file upload functionality via Formidable
Discovery Timeline
- 2022-05-16 - CVE-2022-29622 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-29622
Vulnerability Analysis
This vulnerability falls under CWE-434 (Unrestricted Upload of File with Dangerous Type), a classification indicating insufficient validation of file uploads. The core issue stems from Formidable's default handling of uploaded files, where the library does not adequately validate or sanitize filenames provided by users.
When an attacker uploads a file with a specially crafted filename, the library processes it without proper validation, potentially allowing the file to be written to unintended locations or executed by the server. This is particularly dangerous in web application contexts where uploaded files may be served or processed by backend systems.
The network-accessible nature of this vulnerability means it can be exploited remotely without requiring authentication or user interaction. Successful exploitation could result in unauthorized code execution, data exfiltration, or complete server takeover.
Root Cause
The root cause of CVE-2022-29622 lies in Formidable's default file upload handling mechanism. By design, Formidable processes uploaded files without enforcing strict filename validation or file type restrictions. While this permissive approach offers flexibility for various use cases, it creates a security risk when developers rely on default configurations without implementing additional validation layers.
The library's assumption that developers will implement their own validation and security controls conflicts with secure-by-default principles, leading to potential exploitation when applications use Formidable without proper hardening.
Attack Vector
The attack is executed over the network against web applications using vulnerable versions of Formidable. An attacker can craft a malicious HTTP multipart form request containing a file with a specially designed filename. When the application processes this upload using Formidable's default configuration, the malicious file is saved without proper sanitization.
Exploitation scenarios include:
- Uploading executable scripts (e.g., .js, .php) with path traversal sequences in the filename
- Overwriting critical application files through directory traversal
- Placing web shells in publicly accessible directories for remote code execution
For detailed technical analysis and proof-of-concept discussions, refer to the GitHub Issue #856 and GitHub Issue #862 on the Formidable repository.
Detection Methods for CVE-2022-29622
Indicators of Compromise
- Unusual file uploads with suspicious filenames containing path traversal sequences (../, ..\\)
- Newly created executable files in web-accessible directories
- Unexpected script files with extensions like .js, .sh, or .php in upload directories
- Web server logs showing multipart form submissions with anomalous filename patterns
Detection Strategies
- Monitor file system activity for newly created files in upload directories and web-accessible paths
- Implement web application firewall (WAF) rules to detect path traversal patterns in multipart form data
- Audit application dependencies to identify usage of Formidable v3.1.4 using tools like npm audit or Snyk
- Review Node.js application logs for file upload operations with suspicious filename characteristics
Monitoring Recommendations
- Enable detailed logging for all file upload operations including filename, file type, and destination path
- Configure real-time alerting for file creation events in sensitive directories
- Implement integrity monitoring on web application directories to detect unauthorized file modifications
- Deploy endpoint detection and response (EDR) solutions to identify post-exploitation activity
How to Mitigate CVE-2022-29622
Immediate Actions Required
- Review all applications using Formidable and implement explicit filename sanitization before file storage
- Configure Formidable's filter option to restrict allowed file types
- Use the filename option to generate safe, randomized filenames for uploaded files
- Implement server-side validation to reject files with suspicious filename patterns
Patch Information
This vulnerability is disputed, and no specific patch has been released to address it. The Formidable maintainers recommend using configuration options available in all versions to control file handling behavior. Developers should:
- Review the GitHub Issue #856 for the maintainers' position on this issue
- Implement custom file handling using Formidable's extensive configuration options
- Consider upgrading to the latest version of Formidable which includes additional configuration controls
For context on how this affects downstream projects, see the Strapi GitHub Issue #20189.
Workarounds
- Implement a custom filename sanitization function that removes path traversal characters and dangerous extensions
- Store uploaded files outside the web root directory to prevent direct execution
- Use Formidable's options.filter to validate file types before processing
- Generate unique, random filenames for all uploads using options.filename callback
- Implement file type verification based on file content (magic bytes) rather than extensions
# Configuration example - Check for vulnerable Formidable version in your Node.js projects
npm list formidable | grep -E "formidable@3\.1\.4"
# Audit dependencies for known vulnerabilities
npm audit
# Update to latest Formidable version with additional security configurations
npm update formidable
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
