CVE-2020-15168
Denial of Service (DoS) vulnerability in node-fetch (npm)
What is CVE-2020-15168 About?
Node Fetch did not honor the `size` option after following a redirect in versions prior to 2.6.1 and 3.0.0-beta.9, allowing large files to be downloaded unchecked. This can lead to a Denial of Service (DoS) attack, where the process becomes tied up handling oversized content. This is relatively easy to exploit by providing a large, redirected file, but requires an attacker-controlled server.
Affected Software
- node-fetch
- >2.0.0, <2.6.1
- >3.0.0-beta.1, <3.0.0-beta.9
Technical Details
The vulnerability in Node Fetch (versions prior to 2.6.1 for v2 and 3.0.0-beta.9 for v3) stems from its failure to enforce the size option after following a redirect. The size option is intended to limit the maximum response body size that node-fetch will process, preventing resource exhaustion. However, when an initial request results in an HTTP redirect (e.g., 301, 302, 307, 308) to another URL, node-fetch would correctly initiate the redirect, but the size limit would not be applied to the final response body from the redirected URL. An attacker could set up a server that returns a redirect to an extremely large file. When a vulnerable node-fetch client requests the initial URL, it would be redirected to the large file. Even if the size option was configured on the initial request, node-fetch would proceed to download the entire large file from the redirected URL, despite exceeding the intended size limit. This causes the JavaScript thread to hang, consuming excessive memory and CPU, leading to an application-level Denial of Service (DoS) where the application becomes unresponsive or crashes.
What is the Impact of CVE-2020-15168?
Successful exploitation may allow attackers to cause a Denial of Service (DoS) by forcing the application to download excessively large files, leading to application unresponsiveness or crashes.
What is the Exploitability of CVE-2020-15168?
Exploitation of this Denial of Service vulnerability requires an attacker to host a malicious server capable of serving large files and initiating HTTP redirects. The attacker's goal is to trick a vulnerable node-fetch client into making a request to their malicious server, which then redirects to the oversized content. No authentication is typically required on the client side for the initial request. The attack is remote. The complexity is low to moderate, as it primarily involves setting up a redirect and a large file. The main prerequisites are that the target application uses node-fetch in an affected version and makes requests to untrusted or attacker-controlled URLs. The likelihood of exploitation increases in environments where node-fetch is used to consume external content without strict validation of redirect behavior or content length after redirects.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-15168?
Available Upgrade Options
- node-fetch
- >2.0.0, <2.6.1 → Upgrade to 2.6.1
- node-fetch
- >3.0.0-beta.1, <3.0.0-beta.9 → Upgrade to 3.0.0-beta.9
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/node-fetch/node-fetch/security/advisories/GHSA-w7rc-rwvf-8q5r
- https://github.com/node-fetch/node-fetch/security/advisories/GHSA-w7rc-rwvf-8q5r
- https://github.com/node-fetch/node-fetch/commit/2358a6c2563d1730a0cdaccc197c611949f6a334
- https://osv.dev/vulnerability/GHSA-w7rc-rwvf-8q5r
- https://github.com/node-fetch/node-fetch
- https://github.com/node-fetch/node-fetch/commit/eaff0094c4dfdd5b78711a8c4f1b61e33d282072
- https://www.npmjs.com/package/node-fetch
- https://nvd.nist.gov/vuln/detail/CVE-2020-15168
What are Similar Vulnerabilities to CVE-2020-15168?
Similar Vulnerabilities: CVE-2018-1000632 , CVE-2019-10769 , CVE-2021-23361 , CVE-2022-42111 , CVE-2023-38545
