Description
node-fetch forwards secure headers such as authorization, www-authenticate, cookie, & cookie2 when redirecting to a untrusted site.
Recommendation
Update the node-fetch package to the latest compatible version. Followings are version details:
Affected version(s): **< 2.6.7 >= 3.0.0, < 3.1.1** Patched version(s): **2.6.7 3.1.1**
References
- GHSA-r683-j2x4-v87g
- huntr.dev
- cert-portal.siemens.com
- lists.debian.org
- CVE-2022-0235
- CWE-173
- CWE-200
- CWE-601
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A6
Related Issues
- Prototype Pollution in lodash (GHSA-p6mc-m468-83gw) 5 - CVE-2020-8203
- Prototype Pollution in lodash (GHSA-p6mc-m468-83gw) 3 - CVE-2020-8203
- Prototype Pollution in lodash (GHSA-p6mc-m468-83gw) 2 - CVE-2020-8203
- IPX Allows Path Traversal via Prefix Matching Bypass - CVE-2025-54387
- Tags:
- npm
- node-fetch
Anything's wrong? Let us know Last updated on November 29, 2023