node-fetch forwards secure headers to untrusted sites · CVE-2022-0235 · GitHub Advisory Database · GitHub

node-fetch forwards secure headers to untrusted sites

High severity GitHub Reviewed Published Jan 21, 2022 to the GitHub Advisory Database • Updated Nov 29, 2023

Package

node-fetch (npm)

Affected versions

>= 3.0.0, < 3.1.1

< 2.6.7

Patched versions

3.1.1

2.6.7

Description

node-fetch forwards secure headers such as authorization, www-authenticate, cookie, & cookie2 when redirecting to a untrusted site.

References

Published by the National Vulnerability Database

Jan 16, 2022

Reviewed Jan 18, 2022

Published to the GitHub Advisory Database Jan 21, 2022

Last updated Nov 29, 2023