CVE-2020-15168

Name of the Vulnerable Software and Affected Versions node-fetch versions prior to 2.6.1 node-fetch versions prior to 3.0.0-beta.9

Description The issue is related to the node-fetch library not honoring the size option after following a redirect. This means that when a content size is over the limit, a FetchError would never get thrown and the process would end without failure. For most users, this fix will have little or no impact. However, if you rely on node-fetch to gate files above a size, the impact could be significant. For example, if you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file, potentially leading to a denial of service (DoS) or increased computing costs.

Recommendations For versions prior to 2.6.1, update to version 2.6.1 or later. For versions prior to 3.0.0-beta.9, update to version 3.0.0-beta.9 or later. As a temporary workaround, consider double-checking the size of the data after fetch() has completed to prevent potential denial of service (DoS) or increased computing costs.