advisory-database icon indicating copy to clipboard operation
advisory-database copied to clipboard
verified publisher icon github

Incorrect Package Name in Advisory GHSA-x8rq-rc7x-5fg5 for @uppy/component

Open shivakumar-loginsoft opened this issue 3 months ago • 2 comments

Hello team,

I noticed that the GitHub advisory for GHSA-x8rq-rc7x-5fg5 lists the vulnerable package as uppy, whereas the actual vulnerable package appears to be @uppy/component.

This vulnerability is a bypass for GHSA-mm7r-265w-jv6f (CVE-2020-8135), as reported on Huntr: 🔗 https://huntr.com/bounties/c1c03ef6-3f18-4976-a9ad-08c251279122 which references the original report on HackerOne: 🔗 https://hackerone.com/reports/786956

I have also verified the advisory for any potential transitive dependencies. Based on the vulnerable version range specified (< 2.3.3) on the npm page (https://www.npmjs.com/package/uppy/v/2.3.2), there is no indication that the uppy package includes a dependency on @uppy/component.

Could you please review this and make any necessary corrections to the advisory?

Thank you!

shivakumar-loginsoft avatar Sep 08 '25 12:09 shivakumar-loginsoft

👋 @shivakumar-loginsoft, thank you for your contribution. Could you make a pull request for this?

Also, based on the huntr and hackerone reports, I believe you mean @uppy/companion instead of @uppy/component. Is that correct?

JonathanLEvans avatar Sep 08 '25 14:09 JonathanLEvans

That's true, sorry for the typo. Will make a PR for this.

shivakumar-loginsoft avatar Sep 08 '25 15:09 shivakumar-loginsoft

Hi @shivakumar-loginsoft,

We updated GHSA-x8rq-rc7x-5fg5 to reflect the correct affected package. Thank you for your contribution!

JonathanLEvans avatar Dec 22 '25 17:12 JonathanLEvans