Description
When fetching a remote url with Cookie if it get Location response header then it will follow that url and try to fetch that url with provided cookie . So cookie is leaked here to thirdparty. Ex: you try to fetch example.com with cookie and if it get redirect url to attacker.com then it fetch that redirect url with provided cookie .
Recommendation
Update the cross-fetch package to the latest compatible version. Followings are version details:
Affected version(s): **< 2.2.6 >= 3.0.0, < 3.1.5** Patched version(s): **2.2.6 3.1.5**
References
Related Issues
- Prototype Pollution in jquery-deparam - CVE-2021-20087
- files.photo.gallery command injection - CVE-2024-53615
- Potential XSS vulnerability in jQuery - CVE-2020-11023
- mapshaper Path Traversal vulnerability - CVE-2024-1163
- Tags:
- npm
- cross-fetch
Anything's wrong? Let us know Last updated on January 27, 2023