CVE-2022-0528

Name of the Vulnerable Software and Affected Versions uppy versions prior to 3.3.1 @uppy/companion versions prior to 3.3.1

Description The issue allows for exposure of sensitive information to an unauthorized actor. It also enables incorrect authorization, where a user with URL upload access could enumerate internal companion server networks, send local web servers files to the destination server, and download them if the files have guessable and regular names.

Recommendations For uppy versions prior to 3.3.1, update to version 3.3.1 or later. For @uppy/companion versions prior to 3.3.1, update to version 3.3.1 or later. As a temporary workaround, consider restricting access to the URL upload feature to minimize the risk of exploitation.