socket.io-file@1.0.4 vulnerabilities

File uploader module for Socket.io

latest version

2.0.31
first published

8 years ago
latest version published

5 years ago
licenses detected
- MIT
  >=0
View socket.io-file package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the socket.io-file package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
H File Type Restriction Bypass socket.io-file is a File uploader module for Socket.io Affected versions of this package are vulnerable to File Type Restriction Bypass. The validation for valid file types only happens on the client-side, which allows an attacker to intercept the Websocket request post-validation and alter the `name` value to upload any file types. How to fix File Type Restriction Bypass? There is no fixed version for `socket.io-file`.	*
H Directory Traversal socket.io-file is a File uploader module for Socket.io Affected versions of this package are vulnerable to Directory Traversal. The package fails to sanitize user input and uses it to generate the file upload paths. The `socket.io-file::createFile` message contains a `name` option that is passed directly to `path.join()`. It is possible to upload files to arbitrary folders on the server by sending relative paths on the `name` value, such as `../../test.js`. The `uploadDir` and `rename` options can be used to define the file upload path. How to fix Directory Traversal? There is no fixed version for `socket.io-file`.	*

File Type Restriction Bypass

socket.io-file is a File uploader module for Socket.io

Affected versions of this package are vulnerable to File Type Restriction Bypass. The validation for valid file types only happens on the client-side, which allows an attacker to intercept the Websocket request post-validation and alter the name value to upload any file types.

How to fix File Type Restriction Bypass?

There is no fixed version for socket.io-file.

Directory Traversal

socket.io-file is a File uploader module for Socket.io

Affected versions of this package are vulnerable to Directory Traversal. The package fails to sanitize user input and uses it to generate the file upload paths. The socket.io-file::createFile message contains a name option that is passed directly to path.join(). It is possible to upload files to arbitrary folders on the server by sending relative paths on the name value, such as ../../test.js. The uploadDir and rename options can be used to define the file upload path.

How to fix Directory Traversal?

There is no fixed version for socket.io-file.

Go back to all versions of this package

socket.io-file@1.0.4 vulnerabilities

File uploader module for Socket.io

latest version

first published

latest version published

licenses detected

Direct Vulnerabilities