CVE-2020-15779

HIGH

socket.io-file < 2.0.31 - Path Traversal via Name Option in createFile Message

Title source: llm

Description

A Path Traversal issue was discovered in the socket.io-file package through 2.0.31 for Node.js. The socket.io-file::createFile message uses path.join with ../ in the name option, and the uploadDir and rename options determine the path.

References (4)

Core 4

Core References

Product, Third Party Advisory x_refsource_misc

https://www.npmjs.com/package/socket.io-file

Third Party Advisory x_refsource_misc

https://github.com/rico345100/socket.io-file

View Writeup ZIP pw:eip

Exploit, Third Party Advisory x_refsource_misc

https://www.npmjs.com/advisories/1519

Third Party Advisory x_refsource_misc

https://github.com/advisories/GHSA-9h4g-27m8-qjrg

Scores

CVSS v3 7.5

EPSS 0.0158

EPSS Percentile 72.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE

CWE-22

Status published

Products (2)

npm/socket.io-file 0npm

socket.io-file_project/socket.io-file < 2.0.31

Published Jul 15, 2020

Tracked Since Feb 18, 2026