CVE-2020-24807: File restriction bypass in socket.io-file

October 2, 2020 (updated January 22, 2026)

All versions of socket.io-fileare vulnerable to a file restriction bypass. The validation for valid file types only happens on the client-side, which allows an attacker to intercept the Websocket request post-validation and alter the name value to upload any file types.

No fix is currently available. Consider using an alternative package until a fix is made available.

References

github.com/advisories/GHSA-6495-8jvh-f28x
github.com/rico345100/socket.io-file
nvd.nist.gov/vuln/detail/CVE-2020-24807
www.npmjs.com/advisories/1564

Code Behaviors & Features

Detect and mitigate CVE-2020-24807 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →