Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackerone3sl4m-s4l3mH1:786956
HistoryJan 31, 2020 - 4:31 p.m.

Node.js third-party modules: Server Side Request Forgery in Uppy npm module

2020-01-3116:31:11
3sl4m-s4l3m
hackerone.com
106

EPSS

0.003

Percentile

68.2%

JSON

Hi Team,

While we were testing our security engine at Shieldfy (https://shieldfy.io), We found a server side request forgery (SSRF) vulnerability in Uppy npm package.
It allows hacker to easily extract inside information from the server or take control of internal services.

Module

module name: Uppyversion:Latest: 1.8.0npm page: https://www.npmjs.com/package/uppy

Module Description

Uppy is a sleek, modular JavaScript file uploader that integrates seamlessly with any application. It’s fast, easy to use and lets you worry about more important problems than building a file uploader.

Module Stats

[1] weekly downloads : 23,153

Vulnerability

Server Side Request Forgery ( SSRF )

Vulnerability Description

in the source code of the module
file: packages/@uppy/companion/src/server/controllers/url.js line: 11

You will find the express is routing the /get endpoint to the function get declared in line 43

Then it calls [`downloadURL` in line`61](https://github.com/transloadit/uppy/blob/746bbcbbc5dc64203390322b28fb380ec67bd94f/packages/%40uppy/companion/src/server/controllers/url.js#L61) and pass `req.body.url` to it as argument

in the function downloadURL declared in line 80

It calls the url directly without any kind of sanitization or validation, opens the door to send malicious ssrf attack, allowing the hacker to extract information from any internal resource, or take control of any internal service.

Steps To Reproduce:

  1. deploy the module in live server (ex: digital ocean server)
  2. request β€˜Add More button’ then click on Link button
  3. Submit Link of DigitalOcean metadata api http://169.254.169.254/metadata/v1/
  4. once done uploading , download the file you should see the content of the server metadata
id
hostname
user-data
vendor-data
public-keys
region
interfaces/
dns/
floating_ip/
tags/
features/

Patch

The suggested fix.

  1. use whitelist technique in the url protocol ( allow only http & https ), and on the port ( 80 & 443 )
  2. use blacklist technique in the host (disable IPs v4 & v6 allowing only domains, disable domains that used as internal routing if any)
  3. disable redirection followAllRedirects to avoid bypasses

Supporting Material/References:

More info about ssrf can be found here : https://shieldfy.io/security-wiki/server-side-request-forgery/server-side-request-forgery/

Wrap up

  • I contacted the maintainer to let them know: N
  • I opened an issue in the related repository: N

Impact

  • Scan local or external network
  • Read files from affected server
  • Interact with internal systems
  • Remote code execution

Related

cvelist 1
osv 2
nodejs 1
veracode 2
cve 1
nvd 1
githubexploit 1
github 1
prion 1
attackerkb 1
cvelist
cvelist
CVE-2020-8135
2020-03-20 18:26:32
osv
osv
Server-Side Request Forgery in @uppy/companion
2020-09-03 15:51:19
CVE-2020-8135
2020-03-20 19:15:12
nodejs
nodejs
Server-Side Request Forgery
2020-03-26 19:35:50
veracode
veracode
Server-Side Request Forgery (SSRF)
2020-03-03 05:40:36
Server-Side Request Forgery (SSRF)
2020-06-29 02:56:26
cve
cve
CVE-2020-8135
2020-03-20 19:15:12
nvd
nvd
CVE-2020-8135
2020-03-20 19:15:12
githubexploit
githubexploit
Exploit for Server-Side Request Forgery in Uppy
2020-12-01 09:45:48
github
github
Server-Side Request Forgery in @uppy/companion
2020-09-03 15:51:19
prion
prion
Server side request forgery (ssrf)
2020-03-20 19:15:00
attackerkb
attackerkb
CVE-2020-8135
2020-03-20 00:00:00

EPSS

0.003

Percentile

68.2%

JSON
Related for H1:786956
cvelist1osv2nodejs1veracode2cve1nvd1githubexploit1github1prion1attackerkb1