CVE-2022-2596
MEDIUM5.9EPSS 0.22%node-fetch Inefficient Regular Expression Complexity
發布日:2022/8/2修改日:2023/11/8
描述
[node-fetch](https://www.npmjs.com/package/node-fetch) is a light-weight module that brings window.fetch to node.js. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the `isOriginPotentiallyTrustworthy()` function in `referrer.js`, when processing a URL string with alternating letters and periods, such as `'http://' + 'a.a.'.repeat(i) + 'a'`.
受影響套件(1)
- npm/node-fetch>= 3.0.0, < 3.2.10
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.9 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-2596
- PATCHhttps://github.com/node-fetch/node-fetch
- WEBhttps://github.com/node-fetch/node-fetch/commit/28802387292baee467e042e168d92597b5bbbe3d
- WEBhttps://github.com/node-fetch/node-fetch/pull/1611
- WEBhttps://github.com/node-fetch/node-fetch/releases/tag/v3.2.10
- WEBhttps://huntr.dev/bounties/a7e6a136-0a4b-46c4-ad20-802f1dd60bf7