First published: Thu Sep 10 2020(Updated: )
### Impact Node Fetch did not honor the `size` option after following a redirect, which means that when a content size was over the limit, a `FetchError` would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after `fetch()` has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing. ### Patches We released patched versions for both stable and beta channels: - For `v2`: 2.6.1 - For `v3`: 3.0.0-beta.9 ### Workarounds None, it is strongly recommended to update as soon as possible. ### For more information If you have any questions or comments about this advisory: * Open an issue in [node-fetch](https://github.com/node-fetch/node-fetch/issues/new?assignees=&labels=question&template=support-or-usage.md&title=Question%3A+) * Contact one of the core maintainers.
Credit: security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Node-fetch Project Node-fetch | <2.6.1 | |
Node-fetch Project Node-fetch | =3.0.0-beta1 | |
Node-fetch Project Node-fetch | =3.0.0-beta5 | |
Node-fetch Project Node-fetch | =3.0.0-beta6 | |
Node-fetch Project Node-fetch | =3.0.0-beta7 | |
Node-fetch Project Node-fetch | =3.0.0-beta8 | |
npm/node-fetch | >=2.0.0<2.6.1 | 2.6.1 |
npm/node-fetch | >=3.0.0-beta.1<=3.0.0-beta.8 | 3.0.0-beta.9 |
IBM Security Guardium Insights | <=2.0.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-15168 is a vulnerability in the Node.js node-fetch module that allows a denial of service attack due to the failure to honor the size option after following a redirect.
CVE-2020-15168 has a severity rating of 7.5 (High).
IBM Cloud Pak for Security (CP4S) versions 1.7.2.0, 1.7.1.0, and 1.7.0.0 are affected by CVE-2020-15168. Node-fetch versions up to 2.6.1 and versions 3.0.0-beta1, 3.0.0-beta5, 3.0.0-beta6, 3.0.0-beta7, and 3.0.0-beta8 are also affected.
Upgrade to node-fetch version 2.6.1 or higher.
You can find more information about CVE-2020-15168 at the following links: [GitHub Advisory](https://github.com/node-fetch/node-fetch/security/advisories/GHSA-w7rc-rwvf-8q5r), [npmjs](https://www.npmjs.com/package/node-fetch), [IBM X-Force Exchange](https://exchange.xforce.ibmcloud.com/vulnerabilities/188155).