[Pkg-javascript-devel] Bug#970173: node-fetch: CVE-2020-15168
Salvatore Bonaccorso
carnil at debian.org
Sat Sep 12 14:33:10 BST 2020
Source: node-fetch
Version: 1.7.3-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Control: found -1 1.7.3-1
Hi,
The following vulnerability was published for node-fetch.
CVE-2020-15168[0]:
| node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the
| size option after following a redirect, which means that when a
| content size was over the limit, a FetchError would never get thrown
| and the process would end without failure. For most people, this fix
| will have a little or no impact. However, if you are relying on node-
| fetch to gate files above a size, the impact could be significant, for
| example: If you don't double-check the size of the data after fetch()
| has completed, your JS thread could get tied up doing work on a large
| file (DoS) and/or cost you money in computing.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-15168
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15168
[1] https://github.com/node-fetch/node-fetch/security/advisories/GHSA-w7rc-rwvf-8q5r
Regards
Salvatore
More information about the Pkg-javascript-devel
mailing list