Security Alert - Package: node-fetch; Severity: HIGH #784

phenggeler · 2022-01-25T18:32:03Z

    Affected package: node-fetch
    Ecosystem: NPM
    Affected version range: < 2.6.1

    Summary: The `size` option isn't honored after following a redirect in node-fetch
    Description: ### Impact

Node Fetch did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure.

For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.

Patches

We released patched versions for both stable and beta channels:

For v2: 2.6.1
For v3: 3.0.0-beta.9

Workarounds

None, it is strongly recommended to update as soon as possible.

For more information

If you have any questions or comments about this advisory:

Open an issue in node-fetch

Contact one of the core maintainers.
identifiers: [{'type': 'GHSA', 'value': 'GHSA-w7rc-rwvf-8q5r'}, {'type': 'CVE', 'value': 'CVE-2020-15168'}]

  Fixed Version: 2.6.1
  Created Date = January 25, 2022

  

  ---
  
  Affected package: node-fetch
  Ecosystem: NPM
  Affected version range: < 2.6.7

  Summary: node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
  Description: node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
  identifiers: [{'type': 'GHSA', 'value': 'GHSA-r683-j2x4-v87g'}, {'type': 'CVE', 'value': 'CVE-2022-0235'}]

  Fixed Version: 2.6.7
  Created Date = January 25, 2022

  

  ---
  
  Affected package: node-fetch
  Ecosystem: NPM
  Affected version range: < 2.6.7

  Summary: node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
  Description: node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
  identifiers: [{'type': 'GHSA', 'value': 'GHSA-r683-j2x4-v87g'}, {'type': 'CVE', 'value': 'CVE-2022-0235'}]

  Fixed Version: 2.6.7
  Created Date = January 25, 2022

  

  ---

The text was updated successfully, but these errors were encountered:

phenggeler · 2022-01-25T19:27:26Z

@phenggeler - label applied: Due this month.

phenggeler added Severity: HIGH Subject: Security Subject: Vulnerability labels Jan 25, 2022

phenggeler self-assigned this Jan 25, 2022

phenggeler added the Due this month. label Jan 25, 2022

phenggeler assigned Catacola Jan 25, 2022

phenggeler removed Subject: Security Subject: Vulnerability Severity: HIGH Due this month. labels Feb 7, 2022

phenggeler unassigned Catacola and phenggeler Feb 7, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security Alert - Package: node-fetch; Severity: HIGH #784

Security Alert - Package: node-fetch; Severity: HIGH #784

phenggeler commented Jan 25, 2022 •

edited

Loading

phenggeler commented Jan 25, 2022

Security Alert - Package: node-fetch; Severity: HIGH #784

Security Alert - Package: node-fetch; Severity: HIGH #784

Comments

phenggeler commented Jan 25, 2022 • edited Loading

Patches

Workarounds

For more information

phenggeler commented Jan 25, 2022

phenggeler commented Jan 25, 2022 •

edited

Loading