Search for packages
| purl | pkg:npm/node-fetch@3.0.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-ebme-b1mh-qygu
Aliases: CVE-2022-2596 GHSA-vp56-6g26-6827 |
node-fetch Inefficient Regular Expression Complexity [node-fetch](https://www.npmjs.com/package/node-fetch) is a light-weight module that brings window.fetch to node.js. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the `isOriginPotentiallyTrustworthy()` function in `referrer.js`, when processing a URL string with alternating letters and periods, such as `'http://' + 'a.a.'.repeat(i) + 'a'`. |
Affected by 0 other vulnerabilities. |
|
VCID-x4yh-ez8g-6ya1
Aliases: CVE-2022-0235 GHSA-r683-j2x4-v87g |
URL Redirection to Untrusted Site ('Open Redirect') node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor |
Affected by 1 other vulnerability. |
|
VCID-y5g7-w6ur-8qaq
Aliases: CVE-2020-15168 GHSA-w7rc-rwvf-8q5r |
The `size` option isn't honored after following a redirect in node-fetch ### Impact Node Fetch did not honor the `size` option after following a redirect, which means that when a content size was over the limit, a `FetchError` would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after `fetch()` has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing. ### Patches We released patched versions for both stable and beta channels: - For `v2`: 2.6.1 - For `v3`: 3.0.0-beta.9 ### Workarounds None, it is strongly recommended to update as soon as possible. ### For more information If you have any questions or comments about this advisory: * Open an issue in [node-fetch](https://github.com/node-fetch/node-fetch/issues/new?assignees=&labels=question&template=support-or-usage.md&title=Question%3A+) * Contact one of the core maintainers. | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||