@uppy/companion@1.8.0 vulnerabilities

OAuth helper and remote fetcher for Uppy's (https://uppy.io) extensible file upload widget with support for drag&drop, resumable uploads, previews, restrictions, file processing/encoding, remote providers like Dropbox and Google Drive, S3 and more :dog:

Direct Vulnerabilities

Known vulnerabilities in the @uppy/companion package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Information Exposure

@uppy/companion is a server integration for Uppy file uploader.

Affected versions of this package are vulnerable to Information Exposure via a debug flag that is set to true by default, a user with URL upload access could enumerate internal companion server networks, send local webservers files to the destination server, and finally download them If each of these files had a guessable and regular name.

How to fix Information Exposure?

Upgrade @uppy/companion to version 3.3.1 or higher.

<3.3.1
  • C
Server-side Request Forgery (SSRF)

@uppy/companion is a server integration for Uppy file uploader.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF). The get route passes the user-controlled variable req.body.url to a GET request without sanitizing the value. This allows attackers to inject arbitrary URLs and make GET requests on behalf of the server.

How to fix Server-side Request Forgery (SSRF)?

Upgrade @uppy/companion to version 1.9.3 or higher.

<1.9.3
  • C
Server-side Request Forgery (SSRF)

@uppy/companion is a server integration for Uppy file uploader.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF). An attacker can create a host or file and redirect all requests which are being received to a specific internal host.

How to fix Server-side Request Forgery (SSRF)?

Upgrade @uppy/companion to version 1.13.2, 2.0.0-alpha.5 or higher.

<1.13.2 >=2.0.0-alpha.0 <2.0.0-alpha.5