CVE-2022-1365
Cookie Leakage vulnerability in cross-fetch (npm)
What is CVE-2022-1365 About?
This vulnerability allows for cookie leakage to third-party domains due to improper handling of HTTP redirects. If a remote URL fetch with cookies results in a redirect, the cookies are sent to the redirected (potentially malicious) third-party site. This vulnerability is relatively easy to exploit if an attacker can control redirect destinations.
Affected Software
- cross-fetch
- <2.2.6
- >3.0.0, <3.1.5
Technical Details
The vulnerability occurs when an application attempts to fetch a remote URL while including cookies. If the response to this initial request contains a 'Location' HTTP header, indicating a redirect, the client automatically follows this redirect. The critical flaw is that the client continues to include the originally provided cookies in the request to the new 'Location' URL, even if this URL points to a different, potentially untrusted, domain. An attacker can host a malicious server that, when queried, issues a redirect to a controlled domain, thereby capturing the victim's cookies intended for the original site.
What is the Impact of CVE-2022-1365?
Successful exploitation may allow attackers to steal sensitive user session cookies, leading to session hijacking, unauthorized access to user accounts, or further reconnaissance.
What is the Exploitability of CVE-2022-1365?
Exploitation of this vulnerability is of moderate complexity, requiring the attacker to control or influence a redirect destination. No authentication is typically required for the initial request, as the vulnerability lies in how the application handles redirects. Privilege requirements are low, as a standard user interaction could trigger the fetch. It is a remote vulnerability, as the fetch operation interacts with external servers. The primary constraint is convincing the victim's application to perform a fetch to a URL that the attacker can then redirect. Risk factors increase if the application frequently fetches external resources or processes user-supplied URLs.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-1365?
Available Upgrade Options
- cross-fetch
- <2.2.6 → Upgrade to 2.2.6
- cross-fetch
- >3.0.0, <3.1.5 → Upgrade to 3.1.5
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://huntr.dev/bounties/ab55dfdd-2a60-437a-a832-e3efe3d264ac
- https://nvd.nist.gov/vuln/detail/CVE-2022-1365
- https://osv.dev/vulnerability/GHSA-7gc6-qh9x-w6h8
- https://github.com/lquixada/cross-fetch/pull/135
- https://huntr.dev/bounties/ab55dfdd-2a60-437a-a832-e3efe3d264ac
- https://github.com/lquixada/cross-fetch/commit/a3b3a9481091ddd06b8f83784ba9c4e034dc912a
- https://github.com/lquixada/cross-fetch/commit/a3b3a9481091ddd06b8f83784ba9c4e034dc912a
- https://github.com/lquixada/cross-fetch
What are Similar Vulnerabilities to CVE-2022-1365?
Similar Vulnerabilities: CVE-2015-8854 , CVE-2017-1000486 , CVE-2017-1000487 , CVE-2018-1000136 , CVE-2018-1000406
