|
| 1 | +--- |
| 2 | +title: "Vulnerability Disclosure Challenges in Open Source Projects" |
| 3 | +description: "An in-depth exploration of the challenges encountered during the security vulnerability disclosure process in the Formidable library, using CVE-2025-46653 as a case study, and reflections on the current state of open source ecosystem maintenance." |
| 4 | +author: "Zast.ai" |
| 5 | +date: 2025-09-03 |
| 6 | +categories: [Security, Open Source, Vulnerability Disclosure] |
| 7 | +tags: [CVE, Formidable, SBOM, Supply Chain Security, Responsible Disclosure, npm, GitHub] |
| 8 | +--- |
| 9 | + |
| 10 | +## Introduction: vulnerability in SBOM (open source) |
| 11 | + |
| 12 | +Imagine this: One day, your application suddenly was hacked - customer data was leaked or even worse. Not because your code has a bug, but because of a critical vulnerability in a fundamental library buried deep in the dependency tree. In this blog, we will use <a href="https://www.cve.org/CVERecord?id=CVE-2025-46653" target="_blank" rel="noopener noreferrer">CVE-2025-46653</a> as a case study. What surprised us most was HOW MUCH EFFORT we had to pay to responsibly disclose this vulnerability. We had to tell the story, so that we as a community may collaborate better in such matter later on. |
| 13 | + |
| 14 | +## Case study: CVE-2025-46653 |
| 15 | + |
| 16 | +Our AI agent, Zast.ai, identified a zero-day vulnerability in Formidable while analyzing a popular content sharing platform. This dependency has over 10 million weekly downloads and shows signs of reduced maintenance activity. It also lacks documented security response processes. When examining the dependency tree with npm ls, this vulnerable component is located five levels deep in the dependency hierarchy. |
| 17 | + |
| 18 | +To understand how a single vulnerable dependency can impact an entire application, let's look at a typical Node.js application architecture: |
| 19 | + |
| 20 | + |
| 21 | + |
| 22 | +<center><em>Architecture flowchart by our engineering team</em></center> |
| 23 | + |
| 24 | +As shown in the diagram, Formidable, sitting in the external services layer, can expose vulnerabilities that propagate all the way up to the user interface. |
| 25 | + |
| 26 | +## Technical Analysis |
| 27 | + |
| 28 | +**Vulnerability Nature:** |
| 29 | + |
| 30 | +CVE-2025-46653 is an "insecure design of file upload naming" vulnerability that allows malicious actors to predict the real names of arbitrarily uploaded files, potentially leading to sensitive file disclosure. This vulnerability has been assigned a CVSS score of 3.1. The score is intentionally conservative as it reflects the vulnerability's limited impact when considered in isolation, though it should still be addressed as part of comprehensive security measures. |
| 31 | + |
| 32 | +Additionally, during our evaluation of Formidable, we found that web applications using this dependency without proper security restrictions can be vulnerable to arbitrary file uploads. When combined with CVE-2025-46653, this could escalate to Stored XSS or even RCE vulnerabilities, you may refer <a href="https://github.com/zast-ai/vulnerability-reports/blob/main/formidable/file_upload/report.md" target="_blank" rel="noopener noreferrer">here</a> for more details. |
| 33 | + |
| 34 | +**Impact Scope:** |
| 35 | + |
| 36 | +Formidable versions 2.1.0 - 3.5.2 are affected. |
| 37 | + |
| 38 | +**The Discovery:** |
| 39 | + |
| 40 | +Zast.ai uncovered this vulnerability in Formidable when assessing a popular content sharing platform. The library is widely used and processes millions of file uploads daily. |
| 41 | + |
| 42 | +!Vulnerability Diagram |
| 43 | + |
| 44 | + |
| 45 | + |
| 46 | +### The Disclosure Journey |
| 47 | + |
| 48 | +Below is the complete timeline of our responsible disclosure attempts for the Formidable vulnerability: |
| 49 | + |
| 50 | +**Following Official Channels** |
| 51 | + |
| 52 | +- First we checked Formidable's GitHub SECURITY.md file, which directs vulnerability reports to security@tunnckocore.com |
| 53 | + |
| 54 | + |
| 55 | + |
| 56 | +- The document states that confirmed vulnerabilities would be synchronized with the npm security team and Tidelift security |
| 57 | + |
| 58 | +- When we sent emails, we discovered this address no longer exists; messages bounced back |
| 59 | + |
| 60 | + |
| 61 | + |
| 62 | +**Attempting Alternative Contact Methods** |
| 63 | + |
| 64 | +- Formidable's npm page suggests contacting @tunnckoCore or @3a1FcBx0 via Twitter |
| 65 | + |
| 66 | + |
| 67 | + |
| 68 | +- We found that the @3a1FcBx0 account no longer exists |
| 69 | + |
| 70 | + |
| 71 | + |
| 72 | +- When we attempted to reach out to the owner of the @tunnckoCore account, the account itself had already been inactive for an extended period—and we had no way to send direct messages to them at that time. |
| 73 | + |
| 74 | +- We left a comment under their last post, hoping to attract attention |
| 75 | + |
| 76 | + |
| 77 | + |
| 78 | +- When visiting <a href="http://tunnckocore.com" target="_blank" rel="noopener noreferrer">tunnckocore.com</a>, we discovered the domain had been taken over by a gambling website |
| 79 | + |
| 80 | + |
| 81 | + |
| 82 | +**Contacting Official Platforms** |
| 83 | + |
| 84 | +- We attempted to contact the npm security team <a href="mailto:security@npmjs.com">security@npmjs.com</a>, but our emails were rejected by the server |
| 85 | + |
| 86 | + |
| 87 | + |
| 88 | +- We contacted the Tidelift security team, who responded that they have no partnership with Formidable |
| 89 | + |
| 90 | + |
| 91 | + |
| 92 | +**Direct Contact with All Maintainers** |
| 93 | + |
| 94 | +- Using the npm show formidable command, we identified all official maintainers (5 in total) |
| 95 | + |
| 96 | + |
| 97 | + |
| 98 | +- We sent two rounds of emails to all maintainers, with most receiving no response |
| 99 | + |
| 100 | + |
| 101 | + |
| 102 | +- We specifically contacted Cyril, who had committed code 5 months prior, but received no reply |
| 103 | + |
| 104 | + |
| 105 | + |
| 106 | +- We contacted Nathanael, who was active on GitHub, but similarly received no reply |
| 107 | + |
| 108 | + |
| 109 | + |
| 110 | +**Last Hope** |
| 111 | + |
| 112 | +- We contacted Felix, the original developer of the project, who replied that he was no longer actively maintaining the project |
| 113 | + |
| 114 | + |
| 115 | + |
| 116 | +- He tried to confirm whether he still had commit rights and found that he could still merge code |
| 117 | + |
| 118 | + |
| 119 | + |
| 120 | +- Although he had no time to develop patches, he expressed willingness to help verify vulnerabilities and merge fixes provided by others |
| 121 | + |
| 122 | +- Unfortunately, the response was dismissive of the automated findings, expressing skepticism about AI-generated reports. |
| 123 | + |
| 124 | + |
| 125 | + |
| 126 | +**The Turning Point** |
| 127 | + |
| 128 | +Several weeks later, unexpectedly, tunnckoCore responded to our message, despite his official contact channels being defunct. |
| 129 | + |
| 130 | + |
| 131 | + |
| 132 | +**Final Outcome** |
| 133 | + |
| 134 | +After weeks of persistent effort, the result is: of Formidable's five official maintainers, three were completely unreachable, one (Felix) had merge permissions but no time for active development, and only one (tunnckoCore) eventually responded to security concerns. This situation reflects a challenge in the open source ecosystem, where maintainers may lack the resources or incentives to address security concerns promptly. |
| 135 | + |
| 136 | +## Addressing Supply Chain Security Challenges |
| 137 | + |
| 138 | +### 4.1 Licensing and Security |
| 139 | + |
| 140 | +License Terms: The MIT license does not require parties to assume responsibility for vulnerabilities. This results in a separation between adoption and maintenance responsibilities. |
| 141 | + |
| 142 | +**Corporate Expectation:** |
| 143 | + |
| 144 | +"We initially assumed that using 'popular' open source libraries would provide security benefits, but our experience showed that this assumption may not hold when maintainers are not actively responding." |
| 145 | + |
| 146 | +### 4.2 Ecosystem Support Mechanisms |
| 147 | + |
| 148 | +**Platform Design:** |
| 149 | + |
| 150 | +npm and GitHub do not mandate that projects maintain security contacts or response protocols. The ecosystem relies on trust and voluntary maintenance. |
| 151 | + |
| 152 | +**Commercial Coverage:** |
| 153 | + |
| 154 | +Some security vendors offer monitoring services, but they focus on projects with commercial partnerships, covering a subset of the ecosystem. |
| 155 | + |
| 156 | +### 4.3 Recommended Practices |
| 157 | + |
| 158 | +Enterprise dependency management recommendations: |
| 159 | + |
| 160 | +1. Implement "heartbeat monitoring" for critical dependencies: |
| 161 | +- Track maintainer activity |
| 162 | +- Measure issue response times |
| 163 | +- Monitor security update frequency |
| 164 | +2. Establish a "backup library registry": |
| 165 | +- Maintain internal forks of critical dependencies |
| 166 | +- Create contingency plans for abandoned packages |
| 167 | +- Develop expertise in core dependencies |
| 168 | +3. Develop a dependency health assessment system: |
| 169 | +- Create a scoring model that evaluates maintainer engagement and code quality |
| 170 | +- Integrate health metrics into security reviews and procurement processes |
| 171 | +- Prioritize dependencies based on criticality to your infrastructure |
| 172 | + |
| 173 | +These approaches acknowledge differences between popularity metrics and long-term maintenance. Organizations may consider adjusting their dependency management strategies to include more active oversight of their software components. |
| 174 | + |
| 175 | +## Considerations on Dependency Management |
| 176 | + |
| 177 | +A typical Node.js project analysis found: "node_modules directories often contain over 1,300 dependencies with diverse maintenance patterns." (From npm audit data) |
| 178 | + |
| 179 | +Action items: |
| 180 | + |
| 181 | +1. Audit critical dependencies for maintenance status |
| 182 | +2. Contribute to essential libraries in the stack |
| 183 | +3. Build organizational knowledge about the dependency chain |
| 184 | + |
| 185 | + |
| 186 | + |
| 187 | +**Key Consideration:** |
| 188 | + |
| 189 | +"How should organizations approach the maintenance variability of foundational open source modules like Formidable?" |
| 190 | + |
| 191 | +Enterprises may consider evolving their open source software practices toward more active oversight and collaborative responsibility. |
| 192 | + |
| 193 | +As an automated vulnerability assessment AI agent, Zast.ai is continuously exploring effective approaches to dependency vulnerability assessment. Follow us on X <a href="https://twitter.com/zast_ai" target="_blank" rel="noopener noreferrer">@zast_ai</a> to discuss advancing software supply chain security. |
0 commit comments