CVE-2020-15168: File size limit bypass in node-fetch

Q: What is CVE-2020-15168?

CVE-2020-15168 is a vulnerability in the Node.js node-fetch module that allows a denial of service attack due to the failure to honor the size option after following a redirect.

Q: How severe is CVE-2020-15168?

CVE-2020-15168 has a severity rating of 7.5 (High).

Q: Which software versions are affected by CVE-2020-15168?

IBM Cloud Pak for Security (CP4S) versions 1.7.2.0, 1.7.1.0, and 1.7.0.0 are affected by CVE-2020-15168. Node-fetch versions up to 2.6.1 and versions 3.0.0-beta1, 3.0.0-beta5, 3.0.0-beta6, 3.0.0-beta7, and 3.0.0-beta8 are also affected.

Q: How can I fix CVE-2020-15168?

Upgrade to node-fetch version 2.6.1 or higher.

Q: Where can I find more information about CVE-2020-15168?

You can find more information about CVE-2020-15168 at the following links: [GitHub Advisory](https://github.com/node-fetch/node-fetch/security/advisories/GHSA-w7rc-rwvf-8q5r), [npmjs](https://www.npmjs.com/package/node-fetch), [IBM X-Force Exchange](https://exchange.xforce.ibmcloud.com/vulnerabilities/188155).

Published Sep 10, 2020

Updated

Impact Node Fetch did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure.

For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.

Patches We released patched versions for both stable and beta channels:

- For v2: 2.6.1 - For v3: 3.0.0-beta.9

Workarounds None, it is strongly recommended to update as soon as possible.

For more information If you have any questions or comments about this advisory: Open an issue in node-fetch Contact one of the core maintainers.

Other sources

node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.

Node.js http-proxy module is vulnerable to a denial of service. By sending a specially crafted HTTP request with an overly long body, a remote attacker could exploit this vulnerability to trigger an ERRHTTPHEADERSSENT unhandled exception and crash the server.

— IBM

Affected Software

9 affected componentsFixes available

npm/node-fetch>=2.0.0<2.6.1

2.6.1

npm/node-fetch>=3.0.0-beta.1<=3.0.0-beta.8

3.0.0-beta.9

Node-fetch Project Node-fetch Node.js<2.6.1

Node-fetch Project Node-fetch Node.js=3.0.0-beta1

Node-fetch Project Node-fetch Node.js=3.0.0-beta5

Node-fetch Project Node-fetch Node.js=3.0.0-beta6

Node-fetch Project Node-fetch Node.js=3.0.0-beta7

Node-fetch Project Node-fetch Node.js=3.0.0-beta8

IBM Security Guardium Insights<=2.0.2

Event History

Sep 10, 2020

Advisory Published

via GitHub·05:46 PM

CVE Published

via MITRE·06:25 PM

Data Sourced

via MITRE·06:25 PM

DescriptionSeverityWeakness

Parent advisories

This vulnerability appears in the following advisories.

IBM-6403463

Frequently Asked Questions

What is CVE-2020-15168?

CVE-2020-15168 is a vulnerability in the Node.js node-fetch module that allows a denial of service attack due to the failure to honor the size option after following a redirect.

How severe is CVE-2020-15168?

CVE-2020-15168 has a severity rating of 7.5 (High).

Which software versions are affected by CVE-2020-15168?