Search for packages
| purl | pkg:npm/node-fetch@1.4.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-x4yh-ez8g-6ya1
Aliases: CVE-2022-0235 GHSA-r683-j2x4-v87g |
URL Redirection to Untrusted Site ('Open Redirect') node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor |
Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-y5g7-w6ur-8qaq
Aliases: CVE-2020-15168 GHSA-w7rc-rwvf-8q5r |
The `size` option isn't honored after following a redirect in node-fetch ### Impact Node Fetch did not honor the `size` option after following a redirect, which means that when a content size was over the limit, a `FetchError` would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after `fetch()` has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing. ### Patches We released patched versions for both stable and beta channels: - For `v2`: 2.6.1 - For `v3`: 3.0.0-beta.9 ### Workarounds None, it is strongly recommended to update as soon as possible. ### For more information If you have any questions or comments about this advisory: * Open an issue in [node-fetch](https://github.com/node-fetch/node-fetch/issues/new?assignees=&labels=question&template=support-or-usage.md&title=Question%3A+) * Contact one of the core maintainers. |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||