[Snyk: Med] Information Exposure (Due: 07/29/24) #224
Comments
This was referenced May 29, 2024
|
Closing this issue because node-fetch is brought in through fec-cms And according to the cms ticket, draftail does not have any available upgrades. fecgov/fec-cms#6307 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Affecting node-fetch package, versions <2.6.7 >=3.0.0 <3.1.1
How to fix?
Upgrade node-fetch to version 2.6.7, 3.1.1 or higher.
Overview
node-fetch is a light-weight module that brings window.fetch to node.js
Affected versions of this package are vulnerable to Information Exposure when fetching a remote url with Cookie, if it get a Location response header, it will follow that url and try to fetch that url with provided cookie. This can lead to forwarding secure headers to 3th party.
Completion Criteria
The text was updated successfully, but these errors were encountered: