Vulnerability Details : CVE-2020-15168
node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.
Vulnerability category: Input validationDenial of service
Products affected by CVE-2020-15168
- cpe:2.3:a:node-fetch_project:node-fetch:*:*:*:*:*:node.js:*:*
- cpe:2.3:a:node-fetch_project:node-fetch:3.0.0:beta1:*:*:*:node.js:*:*
- cpe:2.3:a:node-fetch_project:node-fetch:3.0.0:beta5:*:*:*:node.js:*:*
- cpe:2.3:a:node-fetch_project:node-fetch:3.0.0:beta6:*:*:*:node.js:*:*
- cpe:2.3:a:node-fetch_project:node-fetch:3.0.0:beta7:*:*:*:node.js:*:*
- cpe:2.3:a:node-fetch_project:node-fetch:3.0.0:beta8:*:*:*:node.js:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-15168
0.10%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 42 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-15168
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
3.9
|
1.4
|
NIST | |
2.6
|
LOW | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L |
1.2
|
1.4
|
GitHub, Inc. |
CWE ids for CVE-2020-15168
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: security-advisories@github.com (Secondary)
-
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)
References for CVE-2020-15168
-
https://github.com/node-fetch/node-fetch/security/advisories/GHSA-w7rc-rwvf-8q5r
The `size` option isn't honored after following a redirect · Advisory · node-fetch/node-fetch · GitHubThird Party Advisory
-
https://www.npmjs.com/package/node-fetch
node-fetch - npmProduct;Third Party Advisory
Jump to