CVE-2020-8135

EPSS 0.51%

Server-Side Request Forgery in @uppy/companion

Published: 9/3/2020Modified: 11/8/2023

Description

Versions of `@uppy/companion` prior to 1.9.3 are vulnerable to Server-Side Request Forgery (SSRF). The `get` route passes the user-controlled variable `req.body.url` to a GET request without sanitizing the value. This allows attackers to inject arbitrary URLs and make GET requests on behalf of the server. ## Recommendation Upgrade to version 1.9.3 or later.

Affected packages (1)

npm/@uppy/companionfrom 0, < 1.9.3

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-8135
WEBhttps://hackerone.com/reports/786956
WEBhttps://www.npmjs.com/advisories/1501