Miggo Logo
Miggo Vulnerability Database
CVE-2022-0235

CVE-2022-0235: node-fetch forwards secure headers to untrusted sites

8.8

CVSS Score
3.0

Basic Information

CVE ID
CVE-2022-0235
GHSA ID
GHSA-r683-j2x4-v87g
EPSS Score
0.67181%
CWE
CWE-173
Published
1/21/2022
Updated
11/29/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
node-fetchnpm>= 3.0.0, < 3.1.13.1.1
node-fetchnpm< 2.6.72.6.7

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the absence of a domain validation check during redirects in the fetch implementation. The fix introduced the 'isDomainOrSubdomain' check to strip sensitive headers when redirecting to untrusted domains. The vulnerable code existed in the redirect handling portion of the fetch function, which previously forwarded headers without this security check. The commit diff and CVE description confirm the lack of origin validation was the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

no**-**t** *orw*r*s s**ur* *****rs su** *s `*ut*oriz*tion`, `www-*ut**nti**t*`, `*ooki*`, & `*ooki**` w**n r**ir**tin* to * untrust** sit*.

Reasoning

T** vuln*r**ility st*ms *rom t** **s*n** o* * *om*in v*li**tion ****k *urin* r**ir**ts in t** `**t**` impl*m*nt*tion. T** *ix intro*u*** t** 'is*om*inOrSu**om*in' ****k to strip s*nsitiv* *****rs w**n r**ir**tin* to untrust** *om*ins. T** vuln*r**l*
CVE-2022-0235: node-fetch Redirect Auth Leak | Miggo