uppy is vulnerable to server-side request forgery. The vulnerability exists in the isPrivateIP
function in request.js
as it does not properly check IPv4-mapped IPv6 addresses when it contains a double colon in front of the IP address (example: ::ffff:7f00:2), allowing an attacker to send requests on behalf of the server into any IP address, including private and cloud IP addresses.