VulnerableCode Package Details - pkg:deb/debian/node-fetch@3.3.2%2B~cs11.4.11-3?distro=trixie

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-ebme-b1mh-qygu	node-fetch Inefficient Regular Expression Complexity [node-fetch](https://www.npmjs.com/package/node-fetch) is a light-weight module that brings window.fetch to node.js. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the `isOriginPotentiallyTrustworthy()` function in `referrer.js`, when processing a URL string with alternating letters and periods, such as `'http://' + 'a.a.'.repeat(i) + 'a'`.	CVE-2022-2596 GHSA-vp56-6g26-6827
VCID-x4yh-ez8g-6ya1	URL Redirection to Untrusted Site ('Open Redirect') node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor	CVE-2022-0235 GHSA-r683-j2x4-v87g
VCID-y5g7-w6ur-8qaq	The `size` option isn't honored after following a redirect in node-fetch ### Impact Node Fetch did not honor the `size` option after following a redirect, which means that when a content size was over the limit, a `FetchError` would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after `fetch()` has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing. ### Patches We released patched versions for both stable and beta channels: - For `v2`: 2.6.1 - For `v3`: 3.0.0-beta.9 ### Workarounds None, it is strongly recommended to update as soon as possible. ### For more information If you have any questions or comments about this advisory: * Open an issue in [node-fetch](https://github.com/node-fetch/node-fetch/issues/new?assignees=&labels=question&template=support-or-usage.md&title=Question%3A+) * Contact one of the core maintainers.	CVE-2020-15168 GHSA-w7rc-rwvf-8q5r

Vulnerability

Summary

Aliases

VCID-ebme-b1mh-qygu

node-fetch Inefficient Regular Expression Complexity [node-fetch](https://www.npmjs.com/package/node-fetch) is a light-weight module that brings window.fetch to node.js. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the `isOriginPotentiallyTrustworthy()` function in `referrer.js`, when processing a URL string with alternating letters and periods, such as `'http://' + 'a.a.'.repeat(i) + 'a'`.

CVE-2022-2596
GHSA-vp56-6g26-6827

VCID-x4yh-ez8g-6ya1

URL Redirection to Untrusted Site ('Open Redirect') node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

CVE-2022-0235
GHSA-r683-j2x4-v87g

VCID-y5g7-w6ur-8qaq

The `size` option isn't honored after following a redirect in node-fetch ### Impact Node Fetch did not honor the `size` option after following a redirect, which means that when a content size was over the limit, a `FetchError` would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after `fetch()` has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing. ### Patches We released patched versions for both stable and beta channels: - For `v2`: 2.6.1 - For `v3`: 3.0.0-beta.9 ### Workarounds None, it is strongly recommended to update as soon as possible. ### For more information If you have any questions or comments about this advisory: * Open an issue in [node-fetch](https://github.com/node-fetch/node-fetch/issues/new?assignees=&labels=question&template=support-or-usage.md&title=Question%3A+) * Contact one of the core maintainers.

CVE-2020-15168
GHSA-w7rc-rwvf-8q5r

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T13:26:11.238804+00:00	Debian Importer	Fixing	VCID-y5g7-w6ur-8qaq	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T12:54:56.523177+00:00	Debian Importer	Fixing	VCID-x4yh-ez8g-6ya1	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:27:17.556285+00:00	Debian Importer	Fixing	VCID-ebme-b1mh-qygu	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-13T09:16:08.047626+00:00	Debian Importer	Fixing	VCID-y5g7-w6ur-8qaq	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T08:52:03.302501+00:00	Debian Importer	Fixing	VCID-x4yh-ez8g-6ya1	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T18:18:27.053196+00:00	Debian Importer	Fixing	VCID-ebme-b1mh-qygu	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-03T07:47:08.111123+00:00	Debian Importer	Fixing	VCID-ebme-b1mh-qygu	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:47:08.075864+00:00	Debian Importer	Fixing	VCID-x4yh-ez8g-6ya1	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:47:08.040390+00:00	Debian Importer	Fixing	VCID-y5g7-w6ur-8qaq	https://security-tracker.debian.org/tracker/data/json	38.1.0