Fluid Attacks Database

Description

node-fetch forwards secure headers to untrusted sites node-fetch forwards secure headers such as authorization, www-authenticate, cookie, & cookie2 when redirecting to a untrusted site.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	node-fetch	>=0 <2.6.1-7	2.6.1-7
npm	node-fetch	>=3.0.0 <3.1.1 \|\| >=0 <2.6.7	3.1.1, 2.6.7
debian 14	node-fetch	>=0 <2.6.1-7	2.6.1-7
debian 11	node-fetch	=2.6.1-5 \|\| >=0 <2.6.1-5+deb11u1	2.6.1-5+deb11u1
debian 12	node-fetch	>=0 <2.6.1-7	2.6.1-7
rpm rhel8	cockpit-podman	-	-
rpm rhel8	dotnet3.1	-	-
rpm rhel8	cockpit-composer	-	-
rpm rhel8	389-ds-base	-	-
rpm rhel9	cockpit-composer	-	-

1-10 of 18

Aliases

1. CVE-2022-02352. NVD-2022-02353. OSV-DEBIAN-2022-02354. OSV-2022-02355. GCVE-2022-02356. SECURITY-TRACKER-CVE-2022-02357. lists.debian.org

References

1. https://github.com/node-fetch/node-fetch/pull/1449/commits/5c32f002fdd65b1c6a8f1e3620210813d45c7e602. https://github.com/node-fetch/node-fetch/pull/14533. https://github.com/node-fetch/node-fetch/commit/1ef4b560a17e644a02a3bfdea7631ffeee578b354. https://github.com/node-fetch/node-fetch/commit/36e47e8a6406185921e4985dcbeff140d73eaa105. https://github.com/node-fetch/node-fetch/commit/5c32f002fdd65b1c6a8f1e3620210813d45c7e606. https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf7. https://huntr.dev/bounties/d26ab655-38d6-48b3-be15-f9ad6b6ae6f7

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.