Fix CVE–2022–0235

[debricked]

CVE–2022–0235

Vulnerable dependency:     node-fetch (npm)    3.0.0-beta.9

Vulnerability details

Description

URL Redirection to Untrusted Site ('Open Redirect')

A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

NVD

node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

GitHub

node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

CVSS details - 6.1

 

CVSS3 metrics
Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User interaction	Required
Scope	Changed
Confidentiality	Low
Integrity	Low
Availability	None

References

    node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor · CVE-2022-0235 · GitHub Advisory Database · GitHub
    THIRD PARTY
    Exposure of Sensitive Information to an Unauthorized Actor vulnerability found in node-fetch
    3.1.1 release (#1451) · node-fetch/node-fetch@36e47e8 · GitHub
    Create SECURITY.md by JamieSlome · Pull Request #1445 · node-fetch/node-fetch · GitHub
    Potential security issue · Issue #1443 · node-fetch/node-fetch · GitHub
    GitHub - node-fetch/node-fetch: A light-weight module that brings the Fetch API to Node.js
    backport of #1449 by jimmywarting · Pull Request #1453 · node-fetch/node-fetch · GitHub
    fix(Headers): don't forward secure headers to 3th party by jimmywarting · Pull Request #1449 · node-fetch/node-fetch · GitHub
    fix(Headers): don't forward secure headers to 3th party · node-fetch/node-fetch@5c32f00 · GitHub

 

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more about the CVE