CVE-2020-15779

Name of the Vulnerable Software and Affected Versions socket.io-file versions through 2.0.31

Description A Path Traversal issue was discovered in the socket.io-file package for Node.js. The socket.io-file::createFile message uses path.join with ../ in the name option, and the uploadDir and rename options determine the path. The package fails to sanitize user input and uses it to generate the file upload paths, allowing files to be uploaded to arbitrary folders on the server by sending relative paths on the name value.

Recommendations For versions through 2.0.31, consider disabling the socket.io-file::createFile message until a patch is available to prevent exploitation of the Path Traversal issue. Restrict access to the uploadDir and rename options to minimize the risk of arbitrary file uploads. Avoid using the name option in the socket.io-file::createFile message with relative paths until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.