CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2596 – Inefficient Regular Expression Complexity in node-fetch/node-fetch
https://notcve.org/view.php?id=CVE-2022-2596
Inefficient Regular Expression Complexity in GitHub repository node-fetch/node-fetch prior to 3.2.10. Una Denegación de Servicio en el repositorio de GitHub node-fetch/node-fetch versiones anteriores a 3.2.10 • https://github.com/node-fetch/node-fetch/commit/28802387292baee467e042e168d92597b5bbbe3d https://huntr.dev/bounties/a7e6a136-0a4b-46c4-ad20-802f1dd60bf7 • CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 1CVE-2022-0235 – Exposure of Sensitive Information to an Unauthorized Actor in node-fetch/node-fetch
https://notcve.org/view.php?id=CVE-2022-0235
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor node-fetch es vulnerable a una Exposición de Información Confidencial a un Actor no Autorizado A flaw was found in node-fetch. When following a redirect to a third-party domain, node-fetch was forwarding sensitive headers such as "Authorization," "WWW-Authenticate," and "Cookie" to potentially untrusted targets. This flaw leads to the exposure of sensitive information to an unauthorized actor. • https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf https://github.com/node-fetch/node-fetch/commit/36e47e8a6406185921e4985dcbeff140d73eaa10 https://huntr.dev/bounties/d26ab655-38d6-48b3-be15-f9ad6b6ae6f7 https://lists.debian.org/debian-lts-announce/2022/12/msg00007.html https://access.redhat.com/security/cve/CVE-2022-0235 https://bugzilla.redhat.com/show_bug.cgi?id=2044591 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 0CVE-2020-15168 – File size limit bypass in node-fetch
https://notcve.org/view.php?id=CVE-2020-15168
node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing. node-fetch versiones anteriores a 2.6.1 y a 3.0.0-beta.9 no respetaba la opción de tamaño después de seguir un redireccionamiento, lo que significa que cuando un tamaño de contenido superaba el límite, una FetchError nunca se iniciaba y el proceso terminaba sin fallos. Para la mayoría de las personas, esta solución tendrá un impacto mínimo o nulo. Sin embargo, si confía en node-fetch para bloquear archivos por encima de un tamaño, el impacto podría ser significativo, por ejemplo: si no verifica dos veces el tamaño de los datos después de que se haya completado la función fetch(), su hilo o subproceso JS podría atarse haciendo que en un archivo grande (DoS) y/o le cueste dinero en informática • https://github.com/node-fetch/node-fetch/security/advisories/GHSA-w7rc-rwvf-8q5r https://www.npmjs.com/package/node-fetch • CWE-20: Improper Input Validation CWE-770: Allocation of Resources Without Limits or Throttling •