GHSA-6495-8jvh-f28x

Suggest an improvement
Source
https://github.com/advisories/GHSA-6495-8jvh-f28x
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/10/GHSA-6495-8jvh-f28x/GHSA-6495-8jvh-f28x.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-6495-8jvh-f28x
Aliases
  • CVE-2020-24807
Published
2020-10-02T15:39:54Z
Modified
2026-05-04T08:46:09.191606680Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
File restriction bypass in socket.io-file
Details

All versions of socket.io-fileare vulnerable to a file restriction bypass. The validation for valid file types only happens on the client-side, which allows an attacker to intercept the Websocket request post-validation and alter the name value to upload any file types.

No fix is currently available. Consider using an alternative package until a fix is made available.

Database specific 
{
    "cwe_ids": [
        "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-10-02T15:36:34Z",
    "nvd_published_at": null,
    "severity": "HIGH"
}
References

Affected packages

npm / socket.io-file

Package

Name
socket.io-file
View open source insights on deps.dev
Purl
pkg:npm/socket.io-file

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
2.0.31

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/10/GHSA-6495-8jvh-f28x/GHSA-6495-8jvh-f28x.json"