Description
The @uppy/companion npm package before versions 1.13.2 and 2.0.0-alpha.5 is vulnerable to a Server-Side Request Forgery (SSRF) vulnerability, which allows an attacker to scan local or external networks or otherwise interact with internal systems.
Recommendation
Update the @uppy/companion package to the latest compatible version. Followings are version details:
Affected version(s): **>= 2.0.0-alpha.0, <= 2.0.0-alpha.4 < 1.13.2** Patched version(s): **2.0.0-alpha.5 1.13.2**
References
Related Issues
- counterpart vulnerable to prototype pollution - CVE-2025-57354
- Parse Server has an OAuth login vulnerability - CVE-2025-30168
- Use of Insufficiently Random Values in undici - CVE-2025-22150
- SummerNote Cross Site Scripting Vulnerability - CVE-2024-37629
- Tags:
- npm
- @uppy/companion
Anything's wrong? Let us know Last updated on September 13, 2023