Fluid Attacks Database

Description

node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	node-fetch	>=0 <2.6.1 \|\| =3.0.0	2.6.1, 3.0.0-beta.9
debian 11	node-fetch	>=0 <2.6.1-2	2.6.1-2
debian 12	node-fetch	>=0 <2.6.1-2	2.6.1-2
debian 13	node-fetch	>=0 <2.6.1-2	2.6.1-2
debian 14	node-fetch	>=0 <2.6.1-2	2.6.1-2

Aliases

1. CVE-2020-151682. NVD-2020-151683. OSV-2020-151684. OSV-DEBIAN-2020-151685. GHSA-w7rc-rwvf-8q5r6. GCVE-2020-151687. SECURITY-TRACKER-CVE-2020-15168

References

1. https://github.com/node-fetch/node-fetch/security/advisories/GHSA-w7rc-rwvf-8q5r2. https://github.com/node-fetch/node-fetch/commit/2358a6c2563d1730a0cdaccc197c611949f6a3343. https://github.com/node-fetch/node-fetch/commit/eaff0094c4dfdd5b78711a8c4f1b61e33d282072

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.