addax@1.0.5 vulnerabilities

Proxy to serve presigned s3 downloads to authenticated users

Direct Vulnerabilities

Known vulnerabilities in the addax package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Arbitrary Code Injection

addax is a HTTP proxy to serve private S3 files to authenticated clients.

Affected versions of this package are vulnerable to Arbitrary Code Injection. User input on the presignPath function, which receives input directly from the API endpoint, is not validated, which allows code injection. Note: Exploitation of this vulnerability requires authentication.

How to fix Arbitrary Code Injection?

Upgrade addax to version 1.1.0 or higher.

<1.1.0