hmcts · hsjhita · Sep 18, 2025 · Sep 18, 2025
diff --git a/package.json b/package.json
@@ -163,7 +163,7 @@
   },
   "resolutions": {
     "@swc/core": "1.3.82",
-    "axios": "^1.7.4",
+    "axios": "^1.12.0",
     "@opentelemetry/instrumentation": "^0.203.0",
     "pino-std-serializers": "^7.0.0",
     "tough-cookie": "^5.0.0",
@@ -176,7 +176,7 @@
     "import-in-the-middle": "^1.4.2",
     "follow-redirects": "^1.15.4",
     "es5-ext": "^0.10.63",
-    "formidable": "^3.2.4",
+    "formidable": "^3.5.3",
     "puppeteer": "^23.2.0",
     "ws": "^8.17.1",
     "ip": "^2.0.1",

diff --git a/yarn-audit-known-issues b/yarn-audit-known-issues
@@ -1 +1 @@
-{"actions":[],"advisories":{"1105075":{"findings":[{"version":"3.5.2","paths":["@hmcts/nodejs-healthcheck>superagent>formidable"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2025-46653\n- https://github.com/node-formidable/formidable/commit/022c2c5577dfe14d2947f10909d81b03b6070bf5\n- https://github.com/node-formidable/formidable/blob/d0fbec13edc8add54a1afb9ce1a8d3db803f8d47/CHANGELOG.md?plain=1#L10\n- https://github.com/zast-ai/vulnerability-reports/blob/main/formidable/file_upload/report.md\n- https://github.com/node-formidable/formidable/commit/37a3e89fca1ed68ec674a539f13aafd62221ddaa\n- https://www.npmjs.com/package/formidable/v/2.1.3\n- https://www.npmjs.com/package/formidable/v/3.5.3\n- https://github.com/advisories/GHSA-75v8-2h7p-7m2m","created":"2025-04-26T21:31:26.000Z","id":1105075,"npm_advisory_id":null,"overview":"Formidable (aka node-formidable) 2.x before 2.1.3 and 3.x before 3.5.3 relies on hexoid to prevent guessing of filenames for untrusted executable content; however, hexoid is documented as not \"cryptographically secure.\" (Also, there is a scenario in which only the last two characters of a hexoid string need to be guessed, but this is not often relevant.) NOTE: this does not imply that, in a typical use case, attackers will be able to exploit any hexoid behavior to upload and execute their own content.","reported_by":null,"title":"Formidable relies on hexoid to prevent guessing of filenames for untrusted executable content","metadata":null,"cves":["CVE-2025-46653"],"access":"public","severity":"low","module_name":"formidable","vulnerable_versions":">=3.1.1-canary.20211030 <3.5.3","github_advisory_id":"GHSA-75v8-2h7p-7m2m","recommendation":"Upgrade to version 3.5.3 or later","patched_versions":">=3.5.3","updated":"2025-05-27T18:49:22.000Z","cvss":{"score":3.1,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N"},"cwe":["CWE-338"],"url":"https://github.com/advisories/GHSA-75v8-2h7p-7m2m"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":1,"moderate":0,"high":0,"critical":0},"dependencies":700,"devDependencies":0,"optionalDependencies":0,"totalDependencies":700}}
+{"actions":[],"advisories":{"1107370":{"findings":[{"version":"3.4.1","paths":["codeceptjs"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2025-57285\n- https://gist.github.com/Dremig/1ba111f9b1f7cffe1fcb4838b64e55b9\n- https://www.npmjs.com\n- https://github.com/advisories/GHSA-34w8-mcwr-vg29","created":"2025-09-08T18:31:42.000Z","id":1107370,"npm_advisory_id":null,"overview":"CodeceptJS 3.7.3 contains a command injection vulnerability in the emptyFolder function (lib/utils.js). The execSync command directly concatenates the user-controlled directoryPath parameter without sanitization or escaping, allowing attackers to execute arbitrary commands.","reported_by":null,"title":"CodeceptJS's incomprehensive sanitation can lead to Command Injection","metadata":null,"cves":["CVE-2025-57285"],"access":"public","severity":"critical","module_name":"codeceptjs","vulnerable_versions":"<=3.7.3","github_advisory_id":"GHSA-34w8-mcwr-vg29","recommendation":"None","patched_versions":"<0.0.0","updated":"2025-09-10T17:11:21.000Z","cvss":{"score":9.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},"cwe":["CWE-77"],"url":"https://github.com/advisories/GHSA-34w8-mcwr-vg29"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":0,"moderate":0,"high":0,"critical":1},"dependencies":700,"devDependencies":0,"optionalDependencies":0,"totalDependencies":700}}
diff --git a/yarn.lock b/yarn.lock
@@ -2514,6 +2514,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@noble/hashes@npm:^1.1.5":
+  version: 1.8.0
+  resolution: "@noble/hashes@npm:1.8.0"
+  checksum: c94e98b941963676feaba62475b1ccfa8341e3f572adbb3b684ee38b658df44100187fa0ef4220da580b13f8d27e87d5492623c8a02ecc61f23fb9960c7918f5
+  languageName: node
+  linkType: hard
+
 "@nodelib/fs.scandir@npm:2.1.5":
   version: 2.1.5
   resolution: "@nodelib/fs.scandir@npm:2.1.5"
@@ -2717,6 +2724,15 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@paralleldrive/cuid2@npm:^2.2.2":
+  version: 2.2.2
+  resolution: "@paralleldrive/cuid2@npm:2.2.2"
+  dependencies:
+    "@noble/hashes": ^1.1.5
+  checksum: f7f6ac70e0268ec2c72e555719240d5c2c9a859ce541ac1c637eed3f3ee971b42881d299dedafbded53e7365b9e98176c5a31c442c1112f7e9e7306f2fd0ecbb
+  languageName: node
+  linkType: hard
+
 "@parcel/watcher-android-arm64@npm:2.5.1":
   version: 2.5.1
   resolution: "@parcel/watcher-android-arm64@npm:2.5.1"
@@ -5015,14 +5031,14 @@ __metadata:
   languageName: node
   linkType: hard
 
-"axios@npm:^1.7.4":
-  version: 1.11.0
-  resolution: "axios@npm:1.11.0"
+"axios@npm:^1.12.0":
+  version: 1.12.2
+  resolution: "axios@npm:1.12.2"
   dependencies:
     follow-redirects: ^1.15.6
     form-data: ^4.0.4
     proxy-from-env: ^1.1.0
-  checksum: 0a33dc600b588bfd3111b198d5985527ed89f722817455d7cdb66c1d055e5f8859cc2bebb7320888957fc8458ebe77d5f83af02af9cd260217c91c4e92b6dfb6
+  checksum: f0331594fe053a4bbff04104edb073973a3aabfad2e56b0aa18de82428aa63f6f0839ca3d837258ec739cb4528014121793b1649a21e5115ffb2bf8237eadca3
   languageName: node
   linkType: hard
 
@@ -8701,14 +8717,14 @@ __metadata:
   languageName: node
   linkType: hard
 
-"formidable@npm:^3.2.4":
-  version: 3.5.2
-  resolution: "formidable@npm:3.5.2"
+"formidable@npm:^3.5.3":
+  version: 3.5.4
+  resolution: "formidable@npm:3.5.4"
   dependencies:
+    "@paralleldrive/cuid2": ^2.2.2
     dezalgo: ^1.0.4
-    hexoid: ^2.0.0
     once: ^1.4.0
-  checksum: 7c7972e8a15d45e6d2315a54d77f0900e5c610aff9b5730de326e2b34630604e1eff6c9d666e5504fba4c8818ccaed682d76a4fdb718b160c6afa2c250bf6a76
+  checksum: bdb8ecd8af16d40e7e4c06a9dbaf0394fe9cabb7a4cef6f68512ce6fe7933f5a9c588dfc5c1d92cbf83a9e4764f5216064d955669530d3d23ca816e93ea62989
   languageName: node
   linkType: hard
 
@@ -9421,13 +9437,6 @@ __metadata:
   languageName: node
   linkType: hard
 
-"hexoid@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "hexoid@npm:2.0.0"
-  checksum: 69a92b2bcd7c81c16557de017c59511643e3cb1f0d6e9e9b705859b798bfd059088e4d3cc85e9fe0a9e431007430f15393303c3e74320b5c4c28cb64fc7d8bb4
-  languageName: node
-  linkType: hard
-
 "hoopy@npm:^0.1.4":
   version: 0.1.4
   resolution: "hoopy@npm:0.1.4"
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		{"actions":[],"advisories":{"1105075":{"findings":[{"version":"3.5.2","paths":["@hmcts/nodejs-healthcheck>superagent>formidable"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2025-46653\n- https://github.com/node-formidable/formidable/commit/022c2c5577dfe14d2947f10909d81b03b6070bf5\n- https://github.com/node-formidable/formidable/blob/d0fbec13edc8add54a1afb9ce1a8d3db803f8d47/CHANGELOG.md?plain=1#L10\n- https://github.com/zast-ai/vulnerability-reports/blob/main/formidable/file_upload/report.md\n- https://github.com/node-formidable/formidable/commit/37a3e89fca1ed68ec674a539f13aafd62221ddaa\n- https://www.npmjs.com/package/formidable/v/2.1.3\n- https://www.npmjs.com/package/formidable/v/3.5.3\n- https://github.com/advisories/GHSA-75v8-2h7p-7m2m","created":"2025-04-26T21:31:26.000Z","id":1105075,"npm_advisory_id":null,"overview":"Formidable (aka node-formidable) 2.x before 2.1.3 and 3.x before 3.5.3 relies on hexoid to prevent guessing of filenames for untrusted executable content; however, hexoid is documented as not \"cryptographically secure.\" (Also, there is a scenario in which only the last two characters of a hexoid string need to be guessed, but this is not often relevant.) NOTE: this does not imply that, in a typical use case, attackers will be able to exploit any hexoid behavior to upload and execute their own content.","reported_by":null,"title":"Formidable relies on hexoid to prevent guessing of filenames for untrusted executable content","metadata":null,"cves":["CVE-2025-46653"],"access":"public","severity":"low","module_name":"formidable","vulnerable_versions":">=3.1.1-canary.20211030 <3.5.3","github_advisory_id":"GHSA-75v8-2h7p-7m2m","recommendation":"Upgrade to version 3.5.3 or later","patched_versions":">=3.5.3","updated":"2025-05-27T18:49:22.000Z","cvss":{"score":3.1,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N"},"cwe":["CWE-338"],"url":"https://github.com/advisories/GHSA-75v8-2h7p-7m2m"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":1,"moderate":0,"high":0,"critical":0},"dependencies":700,"devDependencies":0,"optionalDependencies":0,"totalDependencies":700}}
		{"actions":[],"advisories":{"1107370":{"findings":[{"version":"3.4.1","paths":["codeceptjs"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2025-57285\n- https://gist.github.com/Dremig/1ba111f9b1f7cffe1fcb4838b64e55b9\n- https://www.npmjs.com\n- https://github.com/advisories/GHSA-34w8-mcwr-vg29","created":"2025-09-08T18:31:42.000Z","id":1107370,"npm_advisory_id":null,"overview":"CodeceptJS 3.7.3 contains a command injection vulnerability in the emptyFolder function (lib/utils.js). The execSync command directly concatenates the user-controlled directoryPath parameter without sanitization or escaping, allowing attackers to execute arbitrary commands.","reported_by":null,"title":"CodeceptJS's incomprehensive sanitation can lead to Command Injection","metadata":null,"cves":["CVE-2025-57285"],"access":"public","severity":"critical","module_name":"codeceptjs","vulnerable_versions":"<=3.7.3","github_advisory_id":"GHSA-34w8-mcwr-vg29","recommendation":"None","patched_versions":"<0.0.0","updated":"2025-09-10T17:11:21.000Z","cvss":{"score":9.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},"cwe":["CWE-77"],"url":"https://github.com/advisories/GHSA-34w8-mcwr-vg29"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":0,"moderate":0,"high":0,"critical":1},"dependencies":700,"devDependencies":0,"optionalDependencies":0,"totalDependencies":700}}