File size limit bypass in node-fetch
Description
node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
node-fetchnpm | >= 2.0.0, < 2.6.1 | 2.6.1 |
node-fetchnpm | >= 3.0.0-beta.1, < 3.0.0-beta.9 | 3.0.0-beta.9 |
Affected products
32- ghsa-coords31 versionspkg:npm/node-fetchpkg:rpm/suse/bind-formula&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/grafana-formula&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/image-sync-formula&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/mgr-daemon&distro=SUSE%20Manager%20Proxy%20Module%204.1pkg:rpm/suse/prometheus-exporters-formula&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/prometheus-formula&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/pxe-formula&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/py26-compat-salt&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/python-susemanager-retail&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/saltboot-formula&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/salt-netapi-client&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/spacecmd&distro=SUSE%20Manager%20Proxy%20Module%204.1pkg:rpm/suse/spacecmd&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/spacewalk-admin&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/spacewalk-backend&distro=SUSE%20Manager%20Proxy%20Module%204.1pkg:rpm/suse/spacewalk-backend&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/spacewalk-branding&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/spacewalk-client-tools&distro=SUSE%20Manager%20Proxy%20Module%204.1pkg:rpm/suse/spacewalk-client-tools&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/spacewalk-java&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/spacewalk-search&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/spacewalk-web&distro=SUSE%20Manager%20Proxy%20Module%204.1pkg:rpm/suse/spacewalk-web&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/susemanager-build-keys&distro=SUSE%20Manager%20Proxy%20Module%204.1pkg:rpm/suse/susemanager-build-keys&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/susemanager&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/susemanager-doc-indexes&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/susemanager-docs_en&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/susemanager-schema&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/susemanager-sls&distro=SUSE%20Manager%20Server%20Module%204.1
>= 2.0.0, < 2.6.1+ 30 more
- (no CPE)range: >= 2.0.0, < 2.6.1
- (no CPE)range: < 0.1.1603299886.60e4bcf-3.3.2
- (no CPE)range: < 0.3.0-3.3.2
- (no CPE)range: < 0.1.1602150122.f08af0a-3.6.2
- (no CPE)range: < 4.1.3-2.6.3
- (no CPE)range: < 0.8.0-3.16.2
- (no CPE)range: < 0.3.0-3.3.1
- (no CPE)range: < 0.1.1602490840.4f32148-3.3.2
- (no CPE)range: < 2016.11.10-6.3.3
- (no CPE)range: < 1.0.1602150122.f08af0a-3.3.2
- (no CPE)range: < 0.1.1602150122.f08af0a-3.6.2
- (no CPE)range: < 0.18.0-15.7.5
- (no CPE)range: < 4.1.8-4.9.2
- (no CPE)range: < 4.1.8-4.9.2
- (no CPE)range: < 4.1.7-3.6.3
- (no CPE)range: < 4.1.16-4.11.5
- (no CPE)range: < 4.1.16-4.11.5
- (no CPE)range: < 4.1.11-3.9.6
- (no CPE)range: < 4.1.7-4.6.4
- (no CPE)range: < 4.1.7-4.6.4
- (no CPE)range: < 4.1.22-3.16.4
- (no CPE)range: < 4.1.3-3.3.7
- (no CPE)range: < 4.1.19-3.9.5
- (no CPE)range: < 4.1.19-3.9.5
- (no CPE)range: < 15.2.2-3.6.3
- (no CPE)range: < 15.2.2-3.6.3
- (no CPE)range: < 4.1.21-3.11.6
- (no CPE)range: < 4.1-11.17.1
- (no CPE)range: < 4.1-11.17.1
- (no CPE)range: < 4.1.15-3.11.2
- (no CPE)range: < 4.1.17-3.13.6
- Range: <2.6.1
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-w7rc-rwvf-8q5rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-15168ghsaADVISORY
- github.com/node-fetch/node-fetch/commit/2358a6c2563d1730a0cdaccc197c611949f6a334ghsaWEB
- github.com/node-fetch/node-fetch/commit/eaff0094c4dfdd5b78711a8c4f1b61e33d282072ghsaWEB
- github.com/node-fetch/node-fetch/security/advisories/GHSA-w7rc-rwvf-8q5rghsax_refsource_CONFIRMWEB
- www.npmjs.com/package/node-fetchmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.