The `size` option isn't honored after following a redirect in node-fetch

Description

Node Fetch did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure.

For most people, this fix will have a little or no impact.

Recommendation

Update the node-fetch package to the latest compatible version. Followings are version details:

• Affected version(s): **>= 2.0.0, < 2.6.1

  >= 3.0.0-beta.1, <= 3.0.0-beta.8**

• Patched version(s): **2.6.1

  3.0.0-beta.9**

References

• GHSA-w7rc-rwvf-8q5r
• CVE-2020-15168
• CWE-20
• CWE-770
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• x402 SDK vulnerable in outdated versions in resource servers for builders - Vulnerability
• Potential DoS when using ContextLines integration (GHSA-r5w7-f542-q2j4) 9 - Vulnerability
• Potential DoS when using ContextLines integration (GHSA-r5w7-f542-q2j4) 8 - Vulnerability
• Potential DoS when using ContextLines integration (GHSA-r5w7-f542-q2j4) 7 - Vulnerability

Tags:

npm

node-fetch