CVE-2022-2596
MEDIUM5.9EPSS 0.22%node-fetch Inefficient Regular Expression Complexity
Published: 8/2/2022Modified: 11/8/2023
Also known as:GHSA-vp56-6g26-6827
Description
[node-fetch](https://www.npmjs.com/package/node-fetch) is a light-weight module that brings window.fetch to node.js. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the `isOriginPotentiallyTrustworthy()` function in `referrer.js`, when processing a URL string with alternating letters and periods, such as `'http://' + 'a.a.'.repeat(i) + 'a'`.
Affected packages (1)
- npm/node-fetch>= 3.0.0, < 3.2.10
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.9 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-2596
- PATCHhttps://github.com/node-fetch/node-fetch
- WEBhttps://github.com/node-fetch/node-fetch/commit/28802387292baee467e042e168d92597b5bbbe3d
- WEBhttps://github.com/node-fetch/node-fetch/pull/1611
- WEBhttps://github.com/node-fetch/node-fetch/releases/tag/v3.2.10
- WEBhttps://huntr.dev/bounties/a7e6a136-0a4b-46c4-ad20-802f1dd60bf7