The uppy npm package < 1.9.3 is vulnerable to a Server-Side Request Forgery (SSRF) vulnerability, which allows an attacker to scan local or external network or otherwise interact with internal systems.
Recent assessments:
ericalexanderorg at March 21, 2020 1:52pm UTC reported:
SSRF in npm package thatβs downloaded 23k/week and is found in 4k Github repos. High because of itβs value to grab access keys from cloud metadata urls.
<https://hackerone.com/reports/786956>
Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5