CVE-2022-0528 – This CVE describes a Server-Side Request Forger... (How to Fix)

Q: What is the severity of CVE-2022-0528?

CVE-2022-0528 has a CVSS score of 6.5 (MEDIUM). This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in the Uppy file uploader library. Attackers can exploit this to make the server send unauthorized requests to internal or external systems. Users of Uppy versions prior to 3.3.1 are affected.

📋 TL;DR

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in the Uppy file uploader library. Attackers can exploit this to make the server send unauthorized requests to internal or external systems. Users of Uppy versions prior to 3.3.1 are affected.

💻 Affected Systems

Products:

Uppy

Versions: All versions prior to 3.3.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects any application using vulnerable Uppy versions for file upload functionality.

📦 What is this software?

Uppy by Transloadit

View all CVEs affecting Uppy →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access internal services, exfiltrate sensitive data, or perform internal network reconnaissance leading to further compromise.

🟠

Likely Case

Unauthorized access to internal HTTP services, potential data leakage from internal endpoints, or abuse of server resources.

🟢

If Mitigated

Limited impact with proper network segmentation and input validation, potentially only causing denial of service.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SSRF vulnerabilities are commonly exploited and proof-of-concept details are available in public references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.3.1

Vendor Advisory: https://github.com/transloadit/uppy/commit/267c34045a1e62c98406d8c31261c604a11e544a

Restart Required: No

Instructions:

1. Update Uppy dependency to version 3.3.1 or later. 2. Run npm update uppy or yarn upgrade uppy. 3. Test file upload functionality.

🔧 Temporary Workarounds

Input Validation

all

Implement strict validation of user-supplied URLs before processing.

Network Segmentation

all

Restrict server outbound connections to only necessary destinations.

🧯 If You Can't Patch

Implement web application firewall rules to block SSRF patterns
Monitor outbound network traffic for unusual requests from the application server

🔍 How to Verify

Check if Vulnerable:

Check package.json or lock file for Uppy version below 3.3.1

Check Version:

npm list uppy or check package.json for "uppy" version

Verify Fix Applied:

Confirm Uppy version is 3.3.1 or higher in package.json

📡 Detection & Monitoring

Log Indicators:

Unusual outbound HTTP requests from application server
Requests to internal IP addresses or localhost

Network Indicators:

HTTP requests to unexpected destinations from application server
Requests to internal network segments

SIEM Query:

source="application-server" AND (dest_ip=127.0.0.1 OR dest_ip=10.* OR dest_ip=172.16.* OR dest_ip=192.168.*)

📊 Metadata

CVE ID: CVE-2022-0528

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-918

Published: March 3, 2022

Last Updated: February 24, 2026

🔗 References

https://github.com/transloadit/uppy/commit/267c34045a1e62c98406d8c31261c604a11e544a Patch,Third Party Advisory
https://huntr.dev/bounties/8b060cc3-2420-468e-8293-b9216620175b Exploit,Patch,Third Party Advisory
https://github.com/transloadit/uppy/commit/267c34045a1e62c98406d8c31261c604a11e544a Patch,Third Party Advisory
https://huntr.dev/bounties/8b060cc3-2420-468e-8293-b9216620175b Exploit,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-0528, you might also want to check these: