All versions of socket.io-file
are vulnerable to a file restriction bypass. The validation for valid file types only happens on the client-side, which allows an attacker to intercept the Websocket request post-validation and alter the name
value to upload any file types.
No fix is currently available. Consider using an alternative package until a fix is made available.
CPE | Name | Operator | Version |
---|---|---|---|
socket.io-file | le | 2.0.31 |