Platform
nodejs
Component
node-fetch
Fixed in
3.1.1
CVE-2022-0235 describes an information disclosure vulnerability within the node-fetch library, a popular Node.js module for making HTTP requests. This flaw allows unauthorized actors to potentially extract sensitive information from affected applications. The vulnerability impacts versions of node-fetch up to and including 3.1.1. A fix is available in version 3.1.1.
The core of the vulnerability lies in how node-fetch handles certain HTTP headers. An attacker can craft malicious HTTP requests that trigger the exposure of internal data, potentially including API keys, authentication tokens, or other sensitive configuration details. This exposure can lead to unauthorized access to backend systems, data breaches, and further compromise of the application and its underlying infrastructure. The impact is particularly severe for applications that rely on node-fetch to interact with external APIs or services, as the leaked credentials could be used to impersonate the application and gain control over those services.
CVE-2022-0235 was publicly disclosed on January 16, 2022. While no active exploitation campaigns have been definitively linked to this vulnerability, the ease of exploitation and the potential for significant data exposure make it a high-priority concern. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept exploits are available, demonstrating the feasibility of extracting sensitive information.
Exploit Status
EPSS
0.53% (67% percentile)
CVSS Vector
The primary mitigation for CVE-2022-0235 is to upgrade the node-fetch dependency to version 3.1.1 or later. This version contains a fix that addresses the header handling issue. If upgrading is not immediately feasible due to compatibility concerns or breaking changes, consider implementing a temporary workaround by carefully validating and sanitizing all incoming HTTP headers within your application code. While not a complete solution, this can reduce the attack surface. Additionally, review your application's logging and monitoring to identify any unusual activity or attempts to access sensitive data. After upgrading, confirm the fix by sending a crafted HTTP request designed to trigger the vulnerability and verifying that the sensitive information is no longer exposed.
Update the node-fetch dependency to version 3.1.1 or higher. This will resolve the sensitive information exposure vulnerability. Run `npm install node-fetch@latest` or `yarn upgrade node-fetch@latest` to update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2022-0235 is a HIGH severity vulnerability affecting node-fetch versions up to 3.1.1, allowing attackers to extract sensitive information through crafted HTTP requests.
You are affected if your Node.js application uses node-fetch version 3.1.1 or earlier. Check your package.json file to determine your version.
Upgrade to node-fetch version 3.1.1 or later. If immediate upgrade is not possible, implement header validation workarounds in your application code.
While no confirmed active exploitation campaigns are publicly known, the vulnerability's ease of exploitation makes it a potential target.
Refer to the node-fetch GitHub repository and npm advisory for details: https://github.com/node-fetch/node-fetch/issues/1377
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.