@uppy/companion prior to 1.9.3 are vulnerable to Server-Side Request Forgery (SSRF). The
get route passes the user-controlled variable
req.body.url to a GET request without sanitizing the value. This allows attackers to inject arbitrary URLs and make GET requests on behalf of the server.
Upgrade to version 1.9.3 or later.