Title: File Type Restriction Bypass in Socket.io-file NPM module

Date: 31/07/2020

CVE-ID: CVE-2020-24807

CVSS Score: 7.8 (v3)

Author: Thomas Sermpinis

Versions: <= 2.0.31

Package URL: -

Tested on: node v10.19.0, Socket.io-file v2.0.31, socket.io v2.3.0

All versions of socket.io-file are vulnerable to a file restriction bypass. The validation for valid file types only happens on the client-side, which allows an attacker to intercept the Websocket request post-validation and alter the name value to upload any file types.

No fix is currently available. Consider using an alternative package until a fix is made available.

Technical Report

Advisory

Github Advisory

CVE-ID (Mitre)

CVE-ID (NIST)