VulnerableCode Package Details - pkg:npm/node-fetch@2.6.1

Search for packages

Vulnerability	Summary	Fixed by
VCID-x4yh-ez8g-6ya1 Aliases: CVE-2022-0235 GHSA-r683-j2x4-v87g	URL Redirection to Untrusted Site ('Open Redirect') node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor	2.6.7 Affected by 0 other vulnerabilities. 3.0.0-beta.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 3.1.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-x4yh-ez8g-6ya1
Aliases:
CVE-2022-0235
GHSA-r683-j2x4-v87g

URL Redirection to Untrusted Site ('Open Redirect') node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

2.6.7
Affected by 0 other vulnerabilities.

3.0.0-beta.1
Affected by 1 other vulnerability.

3.1.1
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
VCID-y5g7-w6ur-8qaq	The `size` option isn't honored after following a redirect in node-fetch ### Impact Node Fetch did not honor the `size` option after following a redirect, which means that when a content size was over the limit, a `FetchError` would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after `fetch()` has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing. ### Patches We released patched versions for both stable and beta channels: - For `v2`: 2.6.1 - For `v3`: 3.0.0-beta.9 ### Workarounds None, it is strongly recommended to update as soon as possible. ### For more information If you have any questions or comments about this advisory: * Open an issue in [node-fetch](https://github.com/node-fetch/node-fetch/issues/new?assignees=&labels=question&template=support-or-usage.md&title=Question%3A+) * Contact one of the core maintainers.	CVE-2020-15168 GHSA-w7rc-rwvf-8q5r

Vulnerability

Summary

Aliases

VCID-y5g7-w6ur-8qaq

The `size` option isn't honored after following a redirect in node-fetch ### Impact Node Fetch did not honor the `size` option after following a redirect, which means that when a content size was over the limit, a `FetchError` would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after `fetch()` has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing. ### Patches We released patched versions for both stable and beta channels: - For `v2`: 2.6.1 - For `v3`: 3.0.0-beta.9 ### Workarounds None, it is strongly recommended to update as soon as possible. ### For more information If you have any questions or comments about this advisory: * Open an issue in [node-fetch](https://github.com/node-fetch/node-fetch/issues/new?assignees=&labels=question&template=support-or-usage.md&title=Question%3A+) * Contact one of the core maintainers.

CVE-2020-15168
GHSA-w7rc-rwvf-8q5r

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T21:37:40.208875+00:00	GitLab Importer	Affected by	VCID-x4yh-ez8g-6ya1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/node-fetch/CVE-2022-0235.yml	38.4.0
2026-04-16T21:11:22.138572+00:00	GitLab Importer	Fixing	VCID-y5g7-w6ur-8qaq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/node-fetch/CVE-2020-15168.yml	38.4.0
2026-04-11T22:51:52.038230+00:00	GitLab Importer	Affected by	VCID-x4yh-ez8g-6ya1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/node-fetch/CVE-2022-0235.yml	38.3.0
2026-04-11T22:23:13.348116+00:00	GitLab Importer	Fixing	VCID-y5g7-w6ur-8qaq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/node-fetch/CVE-2020-15168.yml	38.3.0
2026-04-02T23:01:17.960428+00:00	GitLab Importer	Affected by	VCID-x4yh-ez8g-6ya1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/node-fetch/CVE-2022-0235.yml	38.1.0
2026-04-02T22:35:14.057053+00:00	GitLab Importer	Fixing	VCID-y5g7-w6ur-8qaq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/node-fetch/CVE-2020-15168.yml	38.1.0
2026-04-01T17:20:08.556187+00:00	GitLab Importer	Affected by	VCID-x4yh-ez8g-6ya1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/node-fetch/CVE-2022-0235.yml	38.0.0
2026-04-01T16:52:34.620035+00:00	GitLab Importer	Fixing	VCID-y5g7-w6ur-8qaq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/node-fetch/CVE-2020-15168.yml	38.0.0
2026-04-01T15:58:41.696664+00:00	GHSA Importer	Fixing	VCID-y5g7-w6ur-8qaq	https://github.com/advisories/GHSA-w7rc-rwvf-8q5r	38.0.0
2026-04-01T12:59:53.671850+00:00	GithubOSV Importer	Fixing	VCID-y5g7-w6ur-8qaq	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-w7rc-rwvf-8q5r/GHSA-w7rc-rwvf-8q5r.json	38.0.0