I would like to report
Internal Server-side request forgery in Uppy
It allows the attacker to easily extract information from internal servers
module name: Uppy
 weekly downloads: 37,599
Server-Side Request Forgery (SSRF)
When I checked your fix on #786956, I noticed that you fixed this issue by doing a check on the host 's IP address against a blacklist before passing it to the server to fetch (You can check that here, But you forgot to stop redirection to these IP addresses, therefore attacker can create a host or file and redirect all requests which are being received to a specific internal host, this will bypass your check, in the first phase, System will check if this host is allowed or no, if it is allowed, Server will pass the request. But it won't be able to verify which host is being redirected to.
feel free to set up a custom Uppy version on your server and try these steps on
Go to https://uppy.io/
https://tinyurl.com/gqdv39p(it redirects to
> Select Y or N for the following statements:
Unauthorized access to sensitive info on internal hosts/services.