CVE-2020-24807

Name of the Vulnerable Software and Affected Versions socket.io-file versions through 2.0.31

Description The socket.io-file package for Node.js relies on client-side validation of file types, which allows remote attackers to execute arbitrary code by uploading an executable file via a modified JSON name field. This issue only affects products that are no longer supported by the maintainer.

Recommendations For versions through 2.0.31, consider using an alternative package until a fix is made available. As a temporary workaround, restrict access to the vulnerable socket.io-file package to minimize the risk of exploitation. Avoid using the name field in the affected JSON payload until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.