socket.io-file@2.0.14 vulnerabilities

File uploader module for Socket.io

Direct Vulnerabilities

Known vulnerabilities in the socket.io-file package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free
VulnerabilityVulnerable Version
  • H
File Type Restriction Bypass

socket.io-file is a File uploader module for Socket.io

Affected versions of this package are vulnerable to File Type Restriction Bypass. The validation for valid file types only happens on the client-side, which allows an attacker to intercept the Websocket request post-validation and alter the name value to upload any file types.

How to fix File Type Restriction Bypass?

There is no fixed version for socket.io-file.

*
  • H
Directory Traversal

socket.io-file is a File uploader module for Socket.io

Affected versions of this package are vulnerable to Directory Traversal. The package fails to sanitize user input and uses it to generate the file upload paths. The socket.io-file::createFile message contains a name option that is passed directly to path.join(). It is possible to upload files to arbitrary folders on the server by sending relative paths on the name value, such as ../../test.js. The uploadDir and rename options can be used to define the file upload path.

How to fix Directory Traversal?

There is no fixed version for socket.io-file.

*