CVE-2022-0235
Information Disclosure vulnerability in node-fetch
What is CVE-2022-0235 About?
The node-fetch library improperly forwards secure headers like authorization and cookie during redirects to untrusted sites. This vulnerability can lead to sensitive information disclosure. Exploiting this issue requires tricking a user or application into making a request that redirects to an untrusted domain.
Affected Software
- node-fetch
- <2.6.7
- >3.0.0, <3.1.1
Technical Details
The vulnerability in node-fetch (prior to a patched version) concerns its handling of secure headers during HTTP redirects. Specifically, when a request initiated by node-fetch encounters a redirect (HTTP 3xx status code) and the redirection target is an untrusted site, the library incorrectly forwards sensitive headers such as `authorization`, `www-authenticate`, `cookie`, and `cookie2`. This behavior deviates from secure practices, as such headers should typically be stripped or carefully managed when redirecting to a different origin, particularly an untrusted one. The attack vector involves an application or user making a request to a malicious or compromised endpoint that then issues a redirect to an attacker-controlled domain, thus exfiltrating the sensitive headers.
What is the Impact of CVE-2022-0235?
Successful exploitation may allow attackers to gain access to sensitive authentication tokens, session cookies, or other confidential information by redirecting requests to malicious domains.
What is the Exploitability of CVE-2022-0235?
Exploitation of this vulnerability is of moderate complexity, as it relies on an application making a request that is then redirected to an untrusted site. No specific authentication is required at the point of header forwarding, but the headers themselves likely originated from an authenticated session. This is a remote vulnerability, where an attacker could control the redirect destination. Special conditions include the target application using node-fetch and making requests where redirects can be triggered. Risk factors are increased if applications frequently interact with external, potentially untrusted services or if users can be enticed to click on malicious links that trigger such requests.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-0235?
Available Upgrade Options
- node-fetch
- <2.6.7 → Upgrade to 2.6.7
- node-fetch
- >3.0.0, <3.1.1 → Upgrade to 3.1.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.debian.org/debian-lts-announce/2022/12/msg00007.html
- https://github.com/node-fetch/node-fetch/commit/36e47e8a6406185921e4985dcbeff140d73eaa10
- https://github.com/node-fetch/node-fetch/commit/1ef4b560a17e644a02a3bfdea7631ffeee578b35
- https://huntr.dev/bounties/d26ab655-38d6-48b3-be15-f9ad6b6ae6f7
- https://github.com/node-fetch/node-fetch/pull/1449/commits/5c32f002fdd65b1c6a8f1e3620210813d45c7e60
- https://osv.dev/vulnerability/GHSA-r683-j2x4-v87g
- https://github.com/node-fetch/node-fetch/pull/1453
- https://github.com/node-fetch/node-fetch
- https://lists.debian.org/debian-lts-announce/2022/12/msg00007.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-0235
What are Similar Vulnerabilities to CVE-2022-0235?
Similar Vulnerabilities: CVE-2018-1000632 , CVE-2019-10776 , CVE-2020-8037 , CVE-2021-23395 , CVE-2022-0536
