CVE-2022-29622

CRITICAL

formidable 3.1.4 - Arbitrary File Upload via Crafted Filename

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-29622. PoCs published by keymandll.

AI-analyzed exploit summary This repository is a writeup and demonstration to argue that Formidable (v3.1.4) is not vulnerable to CVE-2022-29622. It includes a server setup to test file uploads and a script illustrating why arbitrary code execution via filename manipulation is not achievable under realistic conditions.

Description

An arbitrary file upload vulnerability in formidable v3.1.4 allows attackers to execute arbitrary code via a crafted filename. NOTE: some third parties dispute this issue because the product has common use cases in which uploading arbitrary files is the desired behavior. Also, there are configuration options in all versions that can change the default behavior of how files are handled. Strapi does not consider this to be a valid vulnerability.

Exploits (1)

nomisec WRITEUP 3 stars
by keymandll · poc
https://github.com/keymandll/CVE-2022-29622

This repository is a writeup and demonstration to argue that Formidable (v3.1.4) is not vulnerable to CVE-2022-29622. It includes a server setup to test file uploads and a script illustrating why arbitrary code execution via filename manipulation is not achievable under realistic conditions.

Classification
Writeup 100%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Formidable v3.1.4
No auth needed
Prerequisites: Node.js environment · Formidable v3.1.4
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Scores

CVSS v3 9.8
EPSS 0.2446
EPSS Percentile 96.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-434
Status published
Products (2)
formidable_project/formidable 3.1.4
npm/formidable 0 - 3.2.4npm
Published May 16, 2022
Tracked Since Feb 18, 2026