uppy is vulnerable to server-side request forgery. The vulnerability exists in the isPrivateIP
function in request.js
as it does not properly check IPv4-mapped IPv6 addresses when it contains a double colon in front of the IP address (example: ::ffff:7f00:2), allowing an attacker to send requests on behalf of the server into any IP address, including private and cloud IP addresses.
CPE | Name | Operator | Version |
---|---|---|---|
uppy | le | 2.3.2 | |
@uppy/companion | le | 3.1.4 | |
uppy | le | 2.3.2 | |
@uppy/companion | le | 3.1.4 |