All vulnerabilities

CVE-2020-15168

The `size` option isn't honored after following a redirect in node-fetch

Description

Impact

Node Fetch did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure.

For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.

Patches

We released patched versions for both stable and beta channels:

  • For v2: 2.6.1
  • For v3: 3.0.0-beta.9

Workarounds

None, it is strongly recommended to update as soon as possible.

For more information

If you have any questions or comments about this advisory:

  • Open an issue in node-fetch
  • Contact one of the core maintainers.

Patch Available

Fix available through Seal Security. 

No upgrade required, protect your application instantly.

Fix without upgrading
Score
2.6
Severity
Low
Ecosystem
JavaScript
Publish Date
September 10, 2020
Modified Date
March 13, 2026
Score Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L
Affected Versions