CVE-2020-15168

Published: 10/09/2020 Updated: 17/09/2020

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

CVSS v3 Base Score: 5.3 | Impact Score: 1.4 | Exploitability Score: 3.9

VMScore: 446

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

node-fetch prior to 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.

Vulnerable Product	Search on Vulmon	Subscribe to Product
node-fetch project node-fetch
node-fetch project node-fetch 3.0.0

Debian Bug report logs - #970173 node-fetch: CVE-2020-15168 Package: src:node-fetch; Maintainer for src:node-fetch is Debian Javascript Maintainers <pkg-javascript-devel@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sat, 12 Sep 2020 13:36:01 UTC Severity: important Tags: securi ...

CWE-770 https://github.com/node-fetch/node-fetch/security/advisories/GHSA-w7rc-rwvf-8q5r https://www.npmjs.com/package/node-fetch https://nvd.nist.gov https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970173

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Product List Vendor List Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2020-15168

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect