Lucene search
GoogleOSV:GHSA-MM7R-265W-JV6FHistorySep 03, 2020 - 3:51 p.m.
Server-Side Request Forgery in @uppy/companion
2020-09-0315:51:19
Google
osv.dev
5
0.003 Low
EPSS
Percentile
68.3%
Versions of @uppy/companion prior to 1.9.3 are vulnerable to Server-Side Request Forgery (SSRF). The get route passes the user-controlled variable req.body.url to a GET request without sanitizing the value. This allows attackers to inject arbitrary URLs and make GET requests on behalf of the server.
Recommendation
Upgrade to version 1.9.3 or later.
| CPE | Name | Operator | Version |
|---|---|---|---|
| @uppy/companion | lt | 1.9.3 |
Related
hackerone
hackerone
Node.js third-party modules: Server Side Request Forgery in Uppy npm module
2020-01-31 16:31:11
cvelist
cvelist
CVE-2020-8135
2020-03-20 18:26:32
cve
cve
CVE-2020-8135
2020-03-20 19:15:12
veracode
veracode
Server-Side Request Forgery (SSRF)
2020-03-03 05:40:36
Server-Side Request Forgery (SSRF)
2020-06-29 02:56:26
nodejs
nodejs
Server-Side Request Forgery
2020-03-26 19:35:50
attackerkb
attackerkb
CVE-2020-8135
2020-03-20 00:00:00
prion
prion
Server side request forgery (ssrf)
2020-03-20 19:15:00
osv
osv
CVE-2020-8135
2020-03-20 19:15:12
nvd
nvd
CVE-2020-8135
2020-03-20 19:15:12
githubexploit
githubexploit
Exploit for Server-Side Request Forgery in Uppy
2020-12-01 09:45:48
github
github
Server-Side Request Forgery in @uppy/companion
2020-09-03 15:51:19