Source: node-fetch Version: 1.7.3-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 1.7.3-1
Hi, The following vulnerability was published for node-fetch. CVE-2020-15168[0]: | node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the | size option after following a redirect, which means that when a | content size was over the limit, a FetchError would never get thrown | and the process would end without failure. For most people, this fix | will have a little or no impact. However, if you are relying on node- | fetch to gate files above a size, the impact could be significant, for | example: If you don't double-check the size of the data after fetch() | has completed, your JS thread could get tied up doing work on a large | file (DoS) and/or cost you money in computing. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-15168 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15168 [1] https://github.com/node-fetch/node-fetch/security/advisories/GHSA-w7rc-rwvf-8q5r Regards Salvatore