5.2.0
6 years ago
10 days ago
Known vulnerabilities in the @uppy/companion package. This does not include vulnerabilities belonging to this package’s dependencies.
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for freeVulnerability | Vulnerable Version |
---|---|
@uppy/companion is a server integration for Uppy file uploader. Affected versions of this package are vulnerable to Information Exposure via a debug flag that is set to true by default, a user with URL upload access could enumerate internal companion server networks, send local webservers files to the destination server, and finally download them If each of these files had a guessable and regular name. How to fix Information Exposure? Upgrade | <3.3.1 |
@uppy/companion is a server integration for Uppy file uploader. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF). An attacker can create a host or file and redirect all requests which are being received to a specific internal host. How to fix Server-side Request Forgery (SSRF)? Upgrade | <1.13.2>=2.0.0-alpha.0 <2.0.0-alpha.5 |