Versions of @uppy/companion prior to 1.9.3 are vulnerable to Server-Side Request Forgery (SSRF). The get route passes the user-controlled variable req.body.url to a GET request without sanitizing the value. This allows attackers to inject arbitrary URLs and make GET requests on behalf of the server.

Recommendation

Upgrade to version 1.9.3 or later.

References

• https://nvd.nist.gov/vuln/detail/CVE-2020-8135
• https://hackerone.com/reports/786956
• https://www.npmjs.com/advisories/1501