Описание
Server-Side Request Forgery in @uppy/companion
Versions of @uppy/companion prior to 1.9.3 are vulnerable to Server-Side Request Forgery (SSRF). The get route passes the user-controlled variable req.body.url to a GET request without sanitizing the value. This allows attackers to inject arbitrary URLs and make GET requests on behalf of the server.
Recommendation
Upgrade to version 1.9.3 or later.
Пакеты
Наименование
@uppy/companion
npm
Затронутые версииВерсия исправления
< 1.9.3
1.9.3
Связанные уязвимости
CVSS3: 9.8
nvd
почти 6 лет назад
The uppy npm package < 1.9.3 is vulnerable to a Server-Side Request Forgery (SSRF) vulnerability, which allows an attacker to scan local or external network or otherwise interact with internal systems.