CVE-2022-0235: Exposure of Sensitive Information to an Unauthorized Actor in node-fetch/node-fetch
First published: Fri Jan 14 2022(Updated: )
A flaw was found in node-fetch. When following a redirect to a third-party domain, node-fetch was forwarding sensitive headers such as "Authorization," "WWW-Authenticate," and "Cookie" to potentially untrusted targets. This flaw leads to the exposure of sensitive information to an unauthorized actor.
Credit: security@huntr.dev security@huntr.dev
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/rh-nodejs14-nodejs | <0:14.21.1-3.el7 | 0:14.21.1-3.el7 |
| redhat/rh-nodejs14-nodejs-nodemon | <0:2.0.20-2.el7 | 0:2.0.20-2.el7 |
| Node-fetch Project Node-fetch | <2.6.7 | |
| Node-fetch Project Node-fetch | >=3.0.0<3.1.1 | |
| Siemens Sinec Ins | <1.0 | |
| Siemens Sinec Ins | =1.0 | |
| Siemens Sinec Ins | =1.0-sp1 | |
| Debian Debian Linux | =10.0 | |
| npm/node-fetch | <2.6.7 | 2.6.7 |
| npm/node-fetch | >=3.0.0<3.1.1 | 3.1.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2022-0235
- https://github.com/node-fetch/node-fetch/commit/36e47e8a6406185921e4985dcbeff140d73eaa10
- https://huntr.dev/bounties/d26ab655-38d6-48b3-be15-f9ad6b6ae6f7
- https://github.com/node-fetch/node-fetch/pull/1453
- https://github.com/node-fetch/node-fetch/commit/5c32f002fdd65b1c6a8f1e3620210813d45c7e60
- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
- https://lists.debian.org/debian-lts-announce/2022/12/msg00007.html
- https://github.com/node-fetch/node-fetch/pull/1449/commits/5c32f002fdd65b1c6a8f1e3620210813d45c7e60
- https://github.com/node-fetch/node-fetch/commit/1ef4b560a17e644a02a3bfdea7631ffeee578b35
- https://github.com/advisories/GHSA-r683-j2x4-v87g (Advisory)
- https://exchange.xforce.ibmcloud.com/vulnerabilities/217758
- https://www.ibm.com/support/pages/node/6578583 (Advisory)
- https://github.com/node-fetch/node-fetch/pull/1449
- https://github.com/node-fetch/node-fetch/commit/f5d3cf5e2579cb8f4c76c291871e69696aef8f80
- https://access.redhat.com/errata/RHSA-2022:0735
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2061809
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2061810
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2061811
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2061812
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2061813
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2061814
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2061815
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2061816
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2061806
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2061817
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2061818
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2061819
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2061820
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2061821
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2061822
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2061823
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2061807
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2061824
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2061825
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2061826
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2061808
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2061827
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2061828
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2061829
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2061830
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2061831
- https://access.redhat.com/errata/RHSA-2022:1083
- https://access.redhat.com/errata/RHSA-2022:1476
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2048424
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2079047
- https://access.redhat.com/errata/RHSA-2022:1681
- https://access.redhat.com/errata/RHSA-2022:1715
- https://access.redhat.com/errata/RHSA-2022:1739
- https://access.redhat.com/errata/RHSA-2022:4956
- https://access.redhat.com/errata/RHSA-2022:5392
- https://access.redhat.com/errata/RHSA-2022:5483
- https://access.redhat.com/errata/RHSA-2022:5069
- https://access.redhat.com/errata/RHSA-2022:6156
- https://access.redhat.com/security/cve/cve-2022-0235
- https://access.redhat.com/errata/RHSA-2022:6813
- https://access.redhat.com/errata/RHSA-2022:6835
- https://access.redhat.com/errata/RHSA-2022:8524
- https://access.redhat.com/errata/RHSA-2023:0050
- https://access.redhat.com/errata/RHSA-2023:0612
- https://access.redhat.com/errata/RHSA-2023:1742
- https://bugzilla.redhat.com/show_bug.cgi?id=2044591
- https://www.cve.org/CVERecord?id=CVE-2022-0235 https://nvd.nist.gov/vuln/detail/CVE-2022-0235 https://huntr.dev/bounties/d26ab655-38d6-48b3-be15-f9ad6b6ae6f7/
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the severity of CVE-2022-0235?
The severity of CVE-2022-0235 is high (8.8).
What is the affected software for CVE-2022-0235?
The affected software for CVE-2022-0235 is node-fetch.
What is the remedy for CVE-2022-0235?
The remedy for CVE-2022-0235 is to update node-fetch to version 2.6.7 or 3.1.1.
Where can I find more information about CVE-2022-0235?
More information about CVE-2022-0235 can be found in the NVD vulnerability report, GitHub commit, and Huntr bounty links.
What sensitive information is exposed by CVE-2022-0235?
CVE-2022-0235 exposes sensitive headers such as "Authorization," "WWW-Authenticate," and "Cookie" to potentially untrusted targets.
- collector/redhat-cve
- collector/nvd-index
- collector/nvd-cve
- collector/github-advisory-latest
- alias/GHSA-r683-j2x4-v87g
- alias/CVE-2022-0235
- collector/github-advisory
- agent/author
- agent/type
- agent/remedy
- agent/first-publish-date
- agent/softwarecombine
- agent/weakness
- agent/references
- agent/severity
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/last-modified-date
- agent/event
- agent/tags
- collector/ibm-support
- source/IBM
- package-manager/redhat
- vendor/node-fetch project
- canonical/node-fetch project node-fetch
- version/node-fetch project node-fetch/3.0.0
- vendor/siemens
- canonical/siemens sinec ins
- version/siemens sinec ins/1.0
- version/siemens sinec ins/1.0-sp1
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/10.0
- package-manager/npm