Research - [CVE-2020-24807] File Type Restriction Bypass in Socket.io-file NPM module (0day)
Title: File Type Restriction Bypass in Socket.io-file NPM module
Date: 31/07/2020
CVE-ID: CVE-2020-24807
CVSS Score: 7.8 (v3)
Author: Thomas Sermpinis
Versions: <= 2.0.31
Package URL: -
Tested on: node v10.19.0, Socket.io-file v2.0.31, socket.io v2.3.0
All versions of socket.io-file are vulnerable to a file restriction bypass. The validation for valid file types only happens on the client-side, which allows an attacker to intercept the Websocket request post-validation and alter the name value to upload any file types.
No fix is currently available. Consider using an alternative package until a fix is made available.