CVE-2022-0235

NameCVE-2022-0235
Descriptionnode-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3222-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-fetch (PTS)bullseye2.6.1-5+deb11u1fixed
bookworm3.3.0+~cs11.4.11-2fixed
sid, trixie3.3.2+~cs11.4.11-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-fetchsourcebuster1.7.3-1+deb10u1DLA-3222-1
node-fetchsourcebullseye2.6.1-5+deb11u1
node-fetchsource(unstable)2.6.1-7

Notes

https://huntr.dev/bounties/d26ab655-38d6-48b3-be15-f9ad6b6ae6f7/
Fixed by: https://github.com/node-fetch/node-fetch/commit/f5d3cf5e2579cb8f4c76c291871e69696aef8f80 (v3.1.1)
Search for package or bug name: Reporting problems