Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

Summary

Formidable (aka node-formidable) versions 2.0.0, 2.0.0-canary.20200402.1 through 2.1.2, 3.x through 3.5.2 relies on hexoid to prevent guessing of filenames for untrusted executable content; however, hexoid is documented as not "cryptographically secure." (Also, there is a scenario in which only the last two characters of a hexoid string need to be guessed, but this is not often relevant.) NOTE: this does not imply that, in a typical use case, attackers will be able to exploit any hexoid behavior to upload and execute their own content.