CVE-2020-8135

Name of the Vulnerable Software and Affected Versions uppy versions prior to 1.9.3 @uppy/companion versions prior to 1.9.3

Description The issue allows an attacker to perform a Server-Side Request Forgery (SSRF) attack, enabling them to scan local or external networks or interact with internal systems. This is possible because the get route in @uppy/companion passes the user-controlled variable req.body.url to a GET request without proper sanitization, allowing attackers to inject arbitrary URLs and make GET requests on behalf of the server.

Recommendations For uppy versions prior to 1.9.3, upgrade to version 1.9.3 or later. For @uppy/companion versions prior to 1.9.3, upgrade to version 1.9.3 or later.