Description
Versions prior to version v1.05 are affected by a CSRF vulnerability, as there is no CSRF mitigation (Tokens etc.). The fix introduced in version v1.05 unintentionally breaks uploading so version v1.0.7 is the fixed version.
This is patched by implementing Double submit.
Recommendation
Update the save-server package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.0.5
- Patched version(s): 1.0.7
References
Related Issues
- Directory traversal in rollup-plugin-server - CVE-2020-7686
- pym.js CSRF Vulnerability - CVE-2018-1000086
- Server-Side Request Forgery in @uppy/companion - CVE-2020-8205
- FUXA SQL Injection vulnerability - fuxa-server - CVE-2023-31719
You might also like:
- Tags:
- npm
- save-server
Anything's wrong? Let us know Last updated on January 09, 2023