Description
node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_confirm
https://github.com/node-fetch/node-fetch/security/advisories/GHSA-w7rc-rwvf-8q5r
Product, Third Party Advisory x_refsource_misc
https://www.npmjs.com/package/node-fetch
Scores
CVSS v3
2.6
EPSS
0.0169
EPSS Percentile
74.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L
Details
CWE
CWE-20
CWE-770
Status
published
Products (3)
node-fetch_project/node-fetch
3.0.0 beta1 (5 CPE variants)
node-fetch_project/node-fetch
< 2.6.1
npm/node-fetch
2.0.0 - 2.6.1npm
Published
Sep 10, 2020
Tracked Since
Feb 18, 2026