Server-Side Request Forgery (SSRF)
uppy is vulnerable to server-side request forgery. The /get route calls a downloadURL without validating the url parameter, allowing an attacker to perform HTTP requests in the context of the server. This can result in the extracting of information from any internal resource...