@uppy/companion/.../companion@1.9.4 vulnerabilities

OAuth helper and remote fetcher for Uppy's (https://uppy.io) extensible file upload widget with support for drag&drop, resumable uploads, previews, restrictions, file processing/encoding, remote providers like Dropbox and Google Drive, S3 and more :dog:

  • latest version

    5.2.0

  • latest non vulnerable version

  • first published

    6 years ago

  • latest version published

    10 days ago

  • licenses detected

    • >=0.14.0 <4.0.1
  • Direct Vulnerabilities

    Known vulnerabilities in the @uppy/companion package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Information Exposure

    @uppy/companion is a server integration for Uppy file uploader.

    Affected versions of this package are vulnerable to Information Exposure via a debug flag that is set to true by default, a user with URL upload access could enumerate internal companion server networks, send local webservers files to the destination server, and finally download them If each of these files had a guessable and regular name.

    How to fix Information Exposure?

    Upgrade @uppy/companion to version 3.3.1 or higher.

    <3.3.1
    • C
    Server-side Request Forgery (SSRF)

    @uppy/companion is a server integration for Uppy file uploader.

    Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF). An attacker can create a host or file and redirect all requests which are being received to a specific internal host.

    How to fix Server-side Request Forgery (SSRF)?

    Upgrade @uppy/companion to version 1.13.2, 2.0.0-alpha.5 or higher.

    <1.13.2>=2.0.0-alpha.0 <2.0.0-alpha.5