CVE-2020-8135

Description

Versions of `@uppy/companion` prior to 1.9.3 are vulnerable to Server-Side Request Forgery (SSRF). The `get` route passes the user-controlled variable `req.body.url` to a GET request without sanitizing the value. This allows attackers to inject arbitrary URLs and make GET requests on behalf of the server. ## Recommendation Upgrade to version 1.9.3 or later.

How to fix CVE-2020-8135

To remediate CVE-2020-8135, upgrade the affected package to a fixed version below.

• npm/@uppy/companion—upgrade to 1.9.3 or later

Is CVE-2020-8135 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 1.9.3

References (3)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-8135
• WEBhackerone.com/reports/786956
• WEBwww.npmjs.com/advisories/1501