CVE-2020-24807
Description
The socket.io-file package through 2.0.31 for Node.js relies on client-side validation of file types, which allows remote attackers to execute arbitrary code by uploading an executable file via a modified JSON name field. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
socket.io-filenpm | <= 2.0.31 | — |
Affected products
2- socket.io-file/socket.io-filedescription
Patches
Vulnerability mechanics
Root cause
"The socket.io-file module trusts client-supplied file names and types without server-side validation, allowing arbitrary file uploads."
Attack vector
An attacker sends a crafted Socket.io upload request where the JSON `name` field contains a filename with an executable extension (e.g., `.exe`, `.sh`) while the actual file content is an executable payload. Because the server relies on client-side validation of file types [CWE-20] and does not re-validate the file extension or MIME type server-side, the attacker can bypass any client-side MIME checks and write an arbitrary executable file to the server's upload directory. The attacker then triggers execution of that file through a separate mechanism (e.g., direct HTTP access if the upload directory is web-accessible).
Affected code
The vulnerability resides in the socket.io-file Node.js module (versions through 2.0.31). The server-side code trusts the file type information sent by the client in the JSON upload payload, specifically the `name` field, and does not independently validate the file extension or MIME type against the server-configured `accepts` list before writing the file to disk.
What the fix does
The advisory states that the vulnerability is inherent in the design: the module relies on client-side validation of file types and does not enforce server-side checks on the file extension or MIME type. No patch is provided in the bundle; the maintainer has not released a fix. The recommended remediation is to implement server-side validation of the file extension against an allowlist and to verify the actual MIME type of the uploaded content before writing it to disk.
Preconditions
- configThe server must be running a version of socket.io-file through 2.0.31.
- networkThe attacker must be able to establish a Socket.io connection to the server and send a crafted upload request.
- configThe server's upload directory must be accessible (e.g., via a web server) or the attacker must have another means to execute the uploaded file.
- authNo authentication is required; the module does not enforce any authentication for uploads.
Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-6495-8jvh-f28xghsax_refsource_MISCADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-24807ghsaADVISORY
- www.npmjs.com/advisories/1564ghsax_refsource_MISCWEB
- www.npmjs.com/package/socket.io-filemitrex_refsource_MISC
News mentions
0No linked articles in our index yet.