Description
@uppy/companion prior to version 3.3.1 is vulnerable to incorrect authorization. A user with URL upload access could enumerate internal companion server networks, send local webservers files to the destination server, and finally download them If each of these files had a guessable and regular name.
Recommendation
Update the @uppy/companion package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.3.1
- Patched version(s): 3.3.1
References
- GHSA-q24h-5rq3-63j9
- huntr.dev
- CVE-2022-0528
- CWE-200
- CWE-863
- CWE-918
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A10
- OWASP 2021-A6
Related Issues
- rollbar vulnerable to prototype pollution - CVE-2025-57325
- Prebid.js NPM package briefly compromised - CVE-2025-59038
- devalue prototype pollution vulnerability - CVE-2025-57820
- js-toml Prototype Pollution Vulnerability - CVE-2025-54803
- Tags:
- npm
- @uppy/companion
Anything's wrong? Let us know Last updated on June 27, 2023