Description
The @uppy/companion npm package before versions 1.13.2 and 2.0.0-alpha.5 is vulnerable to a Server-Side Request Forgery (SSRF) vulnerability, which allows an attacker to scan local or external networks or otherwise interact with internal systems.
Recommendation
Update the @uppy/companion package to the latest compatible version. Followings are version details:
Affected version(s): **>= 2.0.0-alpha.0, <= 2.0.0-alpha.4 < 1.13.2** Patched version(s): **2.0.0-alpha.5 1.13.2**
References
Related Issues
- Server-Side Request Forgery in @uppy/companion (GHSA-mm7r-265w-jv6f) - CVE-2020-8135
- uppy's companion module is vulnerable to Server-Side Request Forgery (SSRF) - CVE-2022-0086
- uppy's companion module is vulnerable to Server-Side Request Forgery (SSRF) (GHSA-x8rq-rc7x-5fg5) - CVE-2022-0086
- Axios vulnerable to Server-Side Request Forgery - CVE-2020-28168
- Tags:
- npm
- @uppy/companion
Anything's wrong? Let us know Last updated on September 13, 2023