ghsa-vp56-6g26-6827
Vulnerability from github
Published
2022-08-02 00:00
Modified
2022-08-04 17:37
Severity ?
Summary
node-fetch Inefficient Regular Expression Complexity
Details
node-fetch is a light-weight module that brings window.fetch to node.js.
Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the isOriginPotentiallyTrustworthy()
function in referrer.js
, when processing a URL string with alternating letters and periods, such as 'http://' + 'a.a.'.repeat(i) + 'a'
.
{ "affected": [ { "package": { "ecosystem": "npm", "name": "node-fetch" }, "ranges": [ { "events": [ { "introduced": "3.0.0" }, { "fixed": "3.2.10" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2022-2596" ], "database_specific": { "cwe_ids": [ "CWE-1333", "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2022-08-04T17:37:24Z", "nvd_published_at": "2022-08-01T15:15:00Z", "severity": "MODERATE" }, "details": "[node-fetch](https://www.npmjs.com/package/node-fetch) is a light-weight module that brings window.fetch to node.js.\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the `isOriginPotentiallyTrustworthy()` function in `referrer.js`, when processing a URL string with alternating letters and periods, such as `\u0027http://\u0027 + \u0027a.a.\u0027.repeat(i) + \u0027a\u0027`.", "id": "GHSA-vp56-6g26-6827", "modified": "2022-08-04T17:37:24Z", "published": "2022-08-02T00:00:25Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2596" }, { "type": "WEB", "url": "https://github.com/node-fetch/node-fetch/pull/1611" }, { "type": "WEB", "url": "https://github.com/node-fetch/node-fetch/commit/28802387292baee467e042e168d92597b5bbbe3d" }, { "type": "PACKAGE", "url": "https://github.com/node-fetch/node-fetch" }, { "type": "WEB", "url": "https://github.com/node-fetch/node-fetch/releases/tag/v3.2.10" }, { "type": "WEB", "url": "https://huntr.dev/bounties/a7e6a136-0a4b-46c4-ad20-802f1dd60bf7" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "type": "CVSS_V3" } ], "summary": "node-fetch Inefficient Regular Expression Complexity " }
Loading...
Loading...
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.