Versions of @uppy/companion
prior to 1.9.3 are vulnerable to Server-Side Request Forgery (SSRF). The get
route passes the user-controlled variable req.body.url
to a GET request without sanitizing the value. This allows attackers to inject arbitrary URLs and make GET requests on behalf of the server.
Upgrade to version 1.9.3 or later.