Server-Side Request Forgery in @uppy/companion

2020-09-03T15:51:19
ID GHSA-MM7R-265W-JV6F
Type github
Reporter GitHub Advisory Database
Modified 2020-09-03T15:51:19

Description

Versions of @uppy/companion prior to 1.9.3 are vulnerable to Server-Side Request Forgery (SSRF). The get route passes the user-controlled variable req.body.url to a GET request without sanitizing the value. This allows attackers to inject arbitrary URLs and make GET requests on behalf of the server.

Recommendation

Upgrade to version 1.9.3 or later.