Описание
File restriction bypass in socket.io-file
All versions of socket.io-fileare vulnerable to a file restriction bypass. The validation for valid file types only happens on the client-side, which allows an attacker to intercept the Websocket request post-validation and alter the name value to upload any file types.
No fix is currently available. Consider using an alternative package until a fix is made available.
Пакеты
socket.io-file
<= 2.0.31
Отсутствует
Связанные уязвимости
The socket.io-file package through 2.0.31 for Node.js relies on client-side validation of file types, which allows remote attackers to execute arbitrary code by uploading an executable file via a modified JSON name field. NOTE: This vulnerability only affects products that are no longer supported by the maintainer