7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-0528

GHSA ID

GHSA-q24h-5rq3-63j9

EPSS Score

0.49492%

CWE

CWE-200

Published

3/4/2022

Updated

6/27/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-0528

CVE-2022-0528:
Incorrect Authorization in @uppy/companion

@uppy/companion prior to version 3.3.1 is vulnerable to incorrect authorization. A user with URL upload access could enumerate internal companion server networks, send local webservers files to the destination server, and finally download them If each of these files had a guessable and regular name.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-0528

GHSA ID

GHSA-q24h-5rq3-63j9

EPSS Score

0.49492%

CWE

CWE-200

Published

3/4/2022

Updated

6/27/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@uppy/companion	npm	< 3.3.1	3.3.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from the debug flag enabling TLD validation bypass (require_tld: !debug). This allowed local/internal URLs when debug=true (default in vulnerable versions). The functions validateURL(), meta, and get() in url.js used this flag to weaken security checks, enabling SSRF and internal network probing. The patch replaced debug with allowLocalUrls (default false) and hardened TLD validation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

@uppy/*omp*nion prior to v*rsion *.*.* is vuln*r**l* to in*orr**t *ut*oriz*tion. * us*r wit* URL uplo** ****ss *oul* *num*r*t* int*rn*l *omp*nion s*rv*r n*tworks, s*n* lo**l w**s*rv*rs *il*s to t** **stin*tion s*rv*r, *n* *in*lly *ownlo** t**m I* ***

Reasoning

T** vuln*r**ility st*mm** *rom t** ***u* *l** *n**lin* TL* v*li**tion *yp*ss (r*quir*_tl*: !***u*). T*is *llow** lo**l/int*rn*l URLs w**n ***u*=tru* (****ult in vuln*r**l* v*rsions). T** *un*tions `v*li**t*URL()`, m*t*, *n* `**t()` in `url.js` us** t

7.5

Basic Information

Concerned about an active attack path?

CVE-2022-0528: Incorrect Authorization in @uppy/companion

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-0528:
Incorrect Authorization in @uppy/companion

Vulnerability Intelligence
Miggo AI