Fluid Attacks Database

Description

node-fetch Inefficient Regular Expression Complexity node-fetch is a light-weight module that brings window.fetch to node.js.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the isOriginPotentiallyTrustworthy() function in referrer.js, when processing a URL string with alternating letters and periods, such as 'http://' + 'a.a.'.repeat(i) + 'a'.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	node-fetch	>=3.0.0 <3.2.10	3.2.10

Aliases

1. CVE-2022-25962. NVD-2022-25963. OSV-2022-25964. GCVE-2022-2596

References

1. https://github.com/node-fetch/node-fetch/pull/16112. https://github.com/node-fetch/node-fetch/commit/28802387292baee467e042e168d92597b5bbbe3d3. https://github.com/node-fetch/node-fetch/releases/tag/v3.2.104. https://huntr.dev/bounties/a7e6a136-0a4b-46c4-ad20-802f1dd60bf7

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.