Vulnerability Details CVE-2020-15168
node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 24.1%
CVSS Severity
CVSS v3 Score 2.6
CVSS v2 Score 5.0
References
Products affected by CVE-2020-15168
-
cpe:2.3:a:node-fetch_project:node-fetch:0.1.0
-
cpe:2.3:a:node-fetch_project:node-fetch:1.0.0
-
cpe:2.3:a:node-fetch_project:node-fetch:1.0.1
-
cpe:2.3:a:node-fetch_project:node-fetch:1.0.2
-
cpe:2.3:a:node-fetch_project:node-fetch:1.0.3
-
cpe:2.3:a:node-fetch_project:node-fetch:1.0.4
-
cpe:2.3:a:node-fetch_project:node-fetch:1.0.5
-
cpe:2.3:a:node-fetch_project:node-fetch:1.0.6
-
cpe:2.3:a:node-fetch_project:node-fetch:1.1.0
-
cpe:2.3:a:node-fetch_project:node-fetch:1.1.1
-
cpe:2.3:a:node-fetch_project:node-fetch:1.1.2
-
cpe:2.3:a:node-fetch_project:node-fetch:1.2.0
-
cpe:2.3:a:node-fetch_project:node-fetch:1.2.1
-
cpe:2.3:a:node-fetch_project:node-fetch:1.3.0
-
cpe:2.3:a:node-fetch_project:node-fetch:1.3.1
-
cpe:2.3:a:node-fetch_project:node-fetch:1.3.2
-
cpe:2.3:a:node-fetch_project:node-fetch:1.3.3
-
cpe:2.3:a:node-fetch_project:node-fetch:1.4.0
-
cpe:2.3:a:node-fetch_project:node-fetch:1.4.1
-
cpe:2.3:a:node-fetch_project:node-fetch:1.5.0
-
cpe:2.3:a:node-fetch_project:node-fetch:1.5.1
-
cpe:2.3:a:node-fetch_project:node-fetch:1.5.2
-
cpe:2.3:a:node-fetch_project:node-fetch:1.5.3
-
cpe:2.3:a:node-fetch_project:node-fetch:1.6.0
-
cpe:2.3:a:node-fetch_project:node-fetch:1.6.1
-
cpe:2.3:a:node-fetch_project:node-fetch:1.6.2
-
cpe:2.3:a:node-fetch_project:node-fetch:1.6.3
-
cpe:2.3:a:node-fetch_project:node-fetch:1.7.0
-
cpe:2.3:a:node-fetch_project:node-fetch:1.7.1
-
cpe:2.3:a:node-fetch_project:node-fetch:1.7.2
-
cpe:2.3:a:node-fetch_project:node-fetch:1.7.3
-
cpe:2.3:a:node-fetch_project:node-fetch:2.0.0
-
cpe:2.3:a:node-fetch_project:node-fetch:2.1.0
-
cpe:2.3:a:node-fetch_project:node-fetch:2.1.1
-
cpe:2.3:a:node-fetch_project:node-fetch:2.1.2
-
cpe:2.3:a:node-fetch_project:node-fetch:2.2.0
-
cpe:2.3:a:node-fetch_project:node-fetch:2.2.1
-
cpe:2.3:a:node-fetch_project:node-fetch:2.3.0
-
cpe:2.3:a:node-fetch_project:node-fetch:2.4.0
-
cpe:2.3:a:node-fetch_project:node-fetch:2.4.1
-
cpe:2.3:a:node-fetch_project:node-fetch:2.5.0
-
cpe:2.3:a:node-fetch_project:node-fetch:2.6.0
-
cpe:2.3:a:node-fetch_project:node-fetch:3.0.0