In this post, we will explain how Shieldfy detected an SSRF ( Server-side request forgery ) vulnerability in Uppy, one of the popular packages in NPM, diving into the technical details of the vulnerability, exploitation and the fix.
Uppy is a sleek, modular JavaScript file uploader that integrates seamlessly with any application. It’s fast, easy to use and lets you worry about more important problems than building a file uploader. Uppy has more than 130,000 downloads a month.
It started when we are trying the new vulnerability engine for Shieldfy. So we installed Shieldfy on some of the most active Nodejs repositories in Github and we got a hit.
in Uppy they have a great structure to modulize the package instead of having a monolithic package. So you will find sub-package for the feature inside the main package.
Here you will find that Shieldfy spotted a vulnerability inside @uppy/companion – the server responsible for the uploading in the backend – in the way companion treat uploading through URL.
If you have a closer look at the above code. you will find the downloadURL
function which is requesting the URL directly without any validation.If you tracked how downloadURL function is called, you will find its called inside get
function with parameter req.body.url
uploader.onSocketReady(() => {
logger.debug('Socket connection received. Starting remote download.', null, req.id)
downloadURL(req.body.url, uploader.handleChunk.bind(uploader), req.id)
})
Bingo, we found SSRF vulnerability. All we have to do now is to develop a valid exploit and proof that this vulnerability is exploitable in the real life.
We uploaded a working example for the uppy & companion, You can find it here “” – Deploy under your own risk.To exploit SSRF you can make a request to any internal server and you may control it, but As a POC we decided that we want to get the server META data
After verifying the vulnerability and its exploitable, its time to report the vulnerability to the Nodejs Security team and Uppy team
I have to admit, they were very responsive and they deployed a fantastic fix immediately after they verified the vulnerability at their end.
The fix
They patched the vulnerability they add a validation for the IPs and whitelisted only (HTTP/HTTPs) protocols. You can follow the discussion happened the PR here: 2083 and the Hackerone report here: https://hackerone.com/reports/786956Thanks for the Uppy team and the Nodejs security team.