CVE-2020-15168
File size limit bypass in node-fetch
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.
node-fetch versiones anteriores a 2.6.1 y a 3.0.0-beta.9 no respetaba la opción de tamaño después de seguir un redireccionamiento, lo que significa que cuando un tamaño de contenido superaba el límite, una FetchError nunca se iniciaba y el proceso terminaba sin fallos. Para la mayoría de las personas, esta solución tendrá un impacto mínimo o nulo. Sin embargo, si confía en node-fetch para bloquear archivos por encima de un tamaño, el impacto podría ser significativo, por ejemplo: si no verifica dos veces el tamaño de los datos después de que se haya completado la función fetch(), su hilo o subproceso JS podría atarse haciendo que en un archivo grande (DoS) y/o le cueste dinero en informática
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-06-25 CVE Reserved
- 2020-09-10 CVE Published
- 2024-01-29 EPSS Updated
- 2024-08-04 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
- CWE-770: Allocation of Resources Without Limits or Throttling
CAPEC
References (2)
URL | Tag | Source |
---|---|---|
https://github.com/node-fetch/node-fetch/security/advisories/GHSA-w7rc-rwvf-8q5r | Third Party Advisory | |
https://www.npmjs.com/package/node-fetch | Product |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Node-fetch Project Search vendor "Node-fetch Project" | Node-fetch Search vendor "Node-fetch Project" for product "Node-fetch" | < 2.6.1 Search vendor "Node-fetch Project" for product "Node-fetch" and version " < 2.6.1" | node.js |
Affected
| ||||||
Node-fetch Project Search vendor "Node-fetch Project" | Node-fetch Search vendor "Node-fetch Project" for product "Node-fetch" | 3.0.0 Search vendor "Node-fetch Project" for product "Node-fetch" and version "3.0.0" | beta1, node.js |
Affected
| ||||||
Node-fetch Project Search vendor "Node-fetch Project" | Node-fetch Search vendor "Node-fetch Project" for product "Node-fetch" | 3.0.0 Search vendor "Node-fetch Project" for product "Node-fetch" and version "3.0.0" | beta5, node.js |
Affected
| ||||||
Node-fetch Project Search vendor "Node-fetch Project" | Node-fetch Search vendor "Node-fetch Project" for product "Node-fetch" | 3.0.0 Search vendor "Node-fetch Project" for product "Node-fetch" and version "3.0.0" | beta6, node.js |
Affected
| ||||||
Node-fetch Project Search vendor "Node-fetch Project" | Node-fetch Search vendor "Node-fetch Project" for product "Node-fetch" | 3.0.0 Search vendor "Node-fetch Project" for product "Node-fetch" and version "3.0.0" | beta7, node.js |
Affected
| ||||||
Node-fetch Project Search vendor "Node-fetch Project" | Node-fetch Search vendor "Node-fetch Project" for product "Node-fetch" | 3.0.0 Search vendor "Node-fetch Project" for product "Node-fetch" and version "3.0.0" | beta8, node.js |
Affected
|