Login Sign Up

CVE-2022-0086

9.8 CRITICAL
SSRF

📋 TL;DR

CVE-2022-0086 is a Server-Side Request Forgery (SSRF) vulnerability in the Uppy file uploader library. It allows attackers to make unauthorized requests from the server to internal network resources or external systems. This affects any application using vulnerable versions of Uppy with server-side components that process file uploads.

💻 Affected Systems

Products:
  • Uppy
Versions: Versions before 2.3.2
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects server-side implementations of Uppy that process file uploads. Client-only usage is not vulnerable.

📦 What is this software?

Uppy by Transloadit

View all CVEs affecting Uppy →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access sensitive internal services, exfiltrate data from internal networks, or chain with other vulnerabilities to achieve remote code execution.

🟠

Likely Case

Unauthorized access to internal HTTP services, metadata harvesting from cloud services, or scanning of internal network infrastructure.

🟢

If Mitigated

Limited to external resource probing if proper network segmentation and input validation are implemented.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires the ability to trigger file upload processing on the server. Public proof-of-concept exists in the huntr.dev bounty report.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.3.2 and later

Vendor Advisory: https://github.com/transloadit/uppy/commit/fc137e30a2a3102eb191141f280d5de20dacdf8f

Restart Required: Yes

Instructions:

1. Update Uppy package to version 2.3.2 or later using npm: npm update @uppy/core @uppy/server 2. Restart your application server 3. Verify the fix by checking package.json version

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side validation to reject file uploads with URLs pointing to internal IP ranges or restricted domains

Network Segmentation

all

Restrict outbound network access from the application server to only necessary external services

🧯 If You Can't Patch

  • Implement strict allowlist of permitted domains for file upload URLs
  • Deploy network-based controls to block outbound requests to internal IP ranges from application servers

🔍 How to Verify

Check if Vulnerable:

Check package.json for Uppy version. If version is below 2.3.2 and you use server-side processing, you are vulnerable.

Check Version:

npm list @uppy/core @uppy/server | grep uppy

Verify Fix Applied:

Verify Uppy version is 2.3.2 or higher in package.json and test that internal URL uploads are rejected.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file upload requests with URLs pointing to internal IP addresses
  • Failed upload attempts with internal network URLs

Network Indicators:

  • Outbound HTTP requests from application server to internal IP ranges
  • Unusual traffic patterns from app server to metadata services

SIEM Query:

source="application.logs" AND ("upload" OR "uppy") AND ("169.254" OR "10." OR "172.16" OR "192.168" OR "metadata")

📊 Metadata

CVE ID: CVE-2022-0086
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-918
Published: January 4, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-0086, you might also want to check these:

CVE-2023-3432 10.0

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in PlantUML versions prior to ...

Same vulnerability type (CWE-918)
CVE-2025-2828 10.0

This Server-Side Request Forgery (SSRF) vulnerability in langchain-community's RequestsToolkit allow...

Same vulnerability type (CWE-918)
CVE-2023-43654 10.0

TorchServe versions 0.1.0 to 0.8.1 have a critical vulnerability where the default configuration lac...

Same vulnerability type (CWE-918)