Vulnerabilities

1 via 9 paths

Dependencies

127

Source

npm

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
Status
  • 1
  • 0
  • 0

medium severity
new

Information Exposure

  • Vulnerable module: node-fetch
  • Introduced through: @types/firebase@3.2.1

Detailed paths

  • Introduced through: react-mdlzr@0.1.12 @types/firebase@3.2.1 firebase@9.6.4 @firebase/auth@0.19.6 node-fetch@2.6.5
  • Introduced through: react-mdlzr@0.1.12 @types/firebase@3.2.1 firebase@9.6.4 @firebase/auth-compat@0.2.6 node-fetch@2.6.5
  • Introduced through: react-mdlzr@0.1.12 @types/firebase@3.2.1 firebase@9.6.4 @firebase/firestore@3.4.3 node-fetch@2.6.5
  • Introduced through: react-mdlzr@0.1.12 @types/firebase@3.2.1 firebase@9.6.4 @firebase/functions@0.7.7 node-fetch@2.6.5
  • Introduced through: react-mdlzr@0.1.12 @types/firebase@3.2.1 firebase@9.6.4 @firebase/storage@0.9.1 node-fetch@2.6.5
  • Introduced through: react-mdlzr@0.1.12 @types/firebase@3.2.1 firebase@9.6.4 @firebase/auth-compat@0.2.6 @firebase/auth@0.19.6 node-fetch@2.6.5
  • Introduced through: react-mdlzr@0.1.12 @types/firebase@3.2.1 firebase@9.6.4 @firebase/firestore-compat@0.1.12 @firebase/firestore@3.4.3 node-fetch@2.6.5
  • Introduced through: react-mdlzr@0.1.12 @types/firebase@3.2.1 firebase@9.6.4 @firebase/functions-compat@0.1.8 @firebase/functions@0.7.7 node-fetch@2.6.5
  • Introduced through: react-mdlzr@0.1.12 @types/firebase@3.2.1 firebase@9.6.4 @firebase/storage-compat@0.1.9 @firebase/storage@0.9.1 node-fetch@2.6.5

Overview

node-fetch is a light-weight module that brings window.fetch to node.js

Affected versions of this package are vulnerable to Information Exposure when fetching a remote url with Cookie, if it get a Location response header, it will follow that url and try to fetch that url with provided cookie. This can lead to forwarding secure headers to 3th party.

Remediation

Upgrade node-fetch to version 2.6.7, 3.1.1 or higher.

References