VulnerableCode Package Details - pkg:npm/node-fetch@3.0.0-beta.1

Search for packages

Vulnerability	Summary	Fixed by
VCID-y5g7-w6ur-8qaq Aliases: CVE-2020-15168 GHSA-w7rc-rwvf-8q5r	The `size` option isn't honored after following a redirect in node-fetch ### Impact Node Fetch did not honor the `size` option after following a redirect, which means that when a content size was over the limit, a `FetchError` would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after `fetch()` has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing. ### Patches We released patched versions for both stable and beta channels: - For `v2`: 2.6.1 - For `v3`: 3.0.0-beta.9 ### Workarounds None, it is strongly recommended to update as soon as possible. ### For more information If you have any questions or comments about this advisory: * Open an issue in [node-fetch](https://github.com/node-fetch/node-fetch/issues/new?assignees=&labels=question&template=support-or-usage.md&title=Question%3A+) * Contact one of the core maintainers.	3.0.0-beta.9 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-y5g7-w6ur-8qaq
Aliases:
CVE-2020-15168
GHSA-w7rc-rwvf-8q5r

The `size` option isn't honored after following a redirect in node-fetch ### Impact Node Fetch did not honor the `size` option after following a redirect, which means that when a content size was over the limit, a `FetchError` would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after `fetch()` has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing. ### Patches We released patched versions for both stable and beta channels: - For `v2`: 2.6.1 - For `v3`: 3.0.0-beta.9 ### Workarounds None, it is strongly recommended to update as soon as possible. ### For more information If you have any questions or comments about this advisory: * Open an issue in [node-fetch](https://github.com/node-fetch/node-fetch/issues/new?assignees=&labels=question&template=support-or-usage.md&title=Question%3A+) * Contact one of the core maintainers.

3.0.0-beta.9
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-x4yh-ez8g-6ya1	URL Redirection to Untrusted Site ('Open Redirect') node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor	CVE-2022-0235 GHSA-r683-j2x4-v87g

Vulnerability

Summary

Aliases

VCID-x4yh-ez8g-6ya1

URL Redirection to Untrusted Site ('Open Redirect') node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

CVE-2022-0235
GHSA-r683-j2x4-v87g

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T21:37:40.216702+00:00	GitLab Importer	Fixing	VCID-x4yh-ez8g-6ya1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/node-fetch/CVE-2022-0235.yml	38.4.0
2026-04-11T22:51:52.059566+00:00	GitLab Importer	Fixing	VCID-x4yh-ez8g-6ya1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/node-fetch/CVE-2022-0235.yml	38.3.0
2026-04-02T23:01:17.980295+00:00	GitLab Importer	Fixing	VCID-x4yh-ez8g-6ya1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/node-fetch/CVE-2022-0235.yml	38.1.0
2026-04-01T17:20:08.583140+00:00	GitLab Importer	Fixing	VCID-x4yh-ez8g-6ya1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/node-fetch/CVE-2022-0235.yml	38.0.0
2026-04-01T15:58:41.654395+00:00	GHSA Importer	Affected by	VCID-y5g7-w6ur-8qaq	https://github.com/advisories/GHSA-w7rc-rwvf-8q5r	38.0.0