7.5
CWE
770 20
Advisory Published
CVE Published
Updated

CVE-2020-15168: File size limit bypass in node-fetch

First published: Thu Sep 10 2020(Updated: )

### Impact Node Fetch did not honor the `size` option after following a redirect, which means that when a content size was over the limit, a `FetchError` would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after `fetch()` has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing. ### Patches We released patched versions for both stable and beta channels: - For `v2`: 2.6.1 - For `v3`: 3.0.0-beta.9 ### Workarounds None, it is strongly recommended to update as soon as possible. ### For more information If you have any questions or comments about this advisory: * Open an issue in [node-fetch](https://github.com/node-fetch/node-fetch/issues/new?assignees=&labels=question&template=support-or-usage.md&title=Question%3A+) * Contact one of the core maintainers.

Credit: security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
Node-fetch Project Node-fetch<2.6.1
Node-fetch Project Node-fetch=3.0.0-beta1
Node-fetch Project Node-fetch=3.0.0-beta5
Node-fetch Project Node-fetch=3.0.0-beta6
Node-fetch Project Node-fetch=3.0.0-beta7
Node-fetch Project Node-fetch=3.0.0-beta8
npm/node-fetch>=2.0.0<2.6.1
2.6.1
npm/node-fetch>=3.0.0-beta.1<=3.0.0-beta.8
3.0.0-beta.9
IBM Security Guardium Insights<=2.0.2

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

  • What is CVE-2020-15168?

    CVE-2020-15168 is a vulnerability in the Node.js node-fetch module that allows a denial of service attack due to the failure to honor the size option after following a redirect.

  • How severe is CVE-2020-15168?

    CVE-2020-15168 has a severity rating of 7.5 (High).

  • Which software versions are affected by CVE-2020-15168?

    IBM Cloud Pak for Security (CP4S) versions 1.7.2.0, 1.7.1.0, and 1.7.0.0 are affected by CVE-2020-15168. Node-fetch versions up to 2.6.1 and versions 3.0.0-beta1, 3.0.0-beta5, 3.0.0-beta6, 3.0.0-beta7, and 3.0.0-beta8 are also affected.

  • How can I fix CVE-2020-15168?

    Upgrade to node-fetch version 2.6.1 or higher.

  • Where can I find more information about CVE-2020-15168?

    You can find more information about CVE-2020-15168 at the following links: [GitHub Advisory](https://github.com/node-fetch/node-fetch/security/advisories/GHSA-w7rc-rwvf-8q5r), [npmjs](https://www.npmjs.com/package/node-fetch), [IBM X-Force Exchange](https://exchange.xforce.ibmcloud.com/vulnerabilities/188155).

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203