Title: File Type Restriction Bypass in Socket.io-file NPM module
Author: Thomas Sermpinis
Versions: <= 2.0.31
Package URL: -
Tested on: node v10.19.0, Socket.io-file v2.0.31, socket.io v2.3.0
All versions of socket.io-file are vulnerable to a file restriction bypass. The validation for valid file types only happens on the client-side, which allows an attacker to intercept the Websocket request post-validation and alter the name value to upload any file types.
No fix is currently available. Consider using an alternative package until a fix is made available.