Plattform
nodejs
Komponente
node-fetch
Behoben in
3.1.1
CVE-2022-0235 describes an information disclosure vulnerability within the node-fetch library, a popular Node.js module for making HTTP requests. This flaw allows unauthorized actors to potentially extract sensitive information from affected applications. The vulnerability impacts versions of node-fetch up to and including 3.1.1. A fix is available in version 3.1.1.
The vulnerability stems from improper handling of headers within the node-fetch library. An attacker can craft malicious HTTP requests that expose internal details of the application, potentially including API keys, authentication tokens, or other sensitive data. This exposure can lead to unauthorized access to resources, data breaches, and further compromise of the system. The impact is particularly severe for applications that rely on node-fetch to interact with external APIs or services, as the attacker could leverage the exposed information to impersonate the application or gain control over those services.
CVE-2022-0235 was publicly disclosed on January 16, 2022. While no active exploitation campaigns have been definitively linked to this CVE, the ease of exploitation and the potential for significant data exposure make it a high-priority vulnerability. There are publicly available proof-of-concept exploits demonstrating the vulnerability. It is not currently listed on the CISA KEV catalog.
Applications built with Node.js that utilize the node-fetch library are at risk. This includes web applications, APIs, and backend services that rely on node-fetch for making HTTP requests. Specifically, applications that handle sensitive data or interact with external APIs are particularly vulnerable.
• nodejs / server:
npm list node-fetch• nodejs / server:
npm audit node-fetch• nodejs / server: Check package.json for versions <= 3.1.1 • nodejs / server: Review application logs for unusual HTTP requests or error messages related to header processing.
disclosure
Exploit-Status
EPSS
0.53% (67% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2022-0235 is to upgrade to node-fetch version 3.1.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by carefully validating and sanitizing all incoming HTTP headers. While not a complete solution, this can reduce the attack surface. Review your application's code to identify any instances where sensitive data might be exposed through HTTP headers. Consider using a Web Application Firewall (WAF) to filter out malicious requests targeting this vulnerability. Monitor your application logs for unusual HTTP requests or header patterns that might indicate an attempted exploitation.
Aktualisieren Sie die node-fetch-Abhängigkeit auf Version 3.1.1 oder höher. Dies behebt die Schwachstelle der Offenlegung sensibler Informationen. Führen Sie `npm install node-fetch@latest` oder `yarn upgrade node-fetch@latest` aus, um zu aktualisieren.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2022-0235 is a HIGH severity vulnerability affecting node-fetch versions up to 3.1.1, allowing attackers to extract sensitive information through crafted HTTP requests.
You are affected if your Node.js application uses node-fetch version 3.1.1 or earlier. Check your package.json file to determine your version.
Upgrade to node-fetch version 3.1.1 or later. If immediate upgrade is not possible, implement header validation workarounds in your application code.
While no confirmed active exploitation campaigns are publicly known, the vulnerability's ease of exploitation makes it a potential target.
Refer to the node-fetch GitHub repository and npm advisory for details: https://github.com/node-fetch/node-fetch/issues/1377
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.