Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2022-0235 - node-fetch (peer dependency via isomorphic-fetch) #213

Closed
nathanlodge opened this issue Feb 3, 2022 · 5 comments
Closed

CVE-2022-0235 - node-fetch (peer dependency via isomorphic-fetch) #213

nathanlodge opened this issue Feb 3, 2022 · 5 comments

Comments

@nathanlodge
Copy link

CVE-2022-0235

Versions of the node-fetch package lower than 2.6.7 are potentially vulnerable to exposure of sensitive information to an unauthorized actor (see GHSA-r683-j2x4-v87g)

The node-fetch package is a peer dependency of the Avatax-REST-V2-JS-SDK package via the isomorphic-fetch package:

AvaTax-REST-V2-JS-SDK/package.json

Line 26 in 475c6a6

"isomorphic-fetch": "^2.2.1"

AvaTax-REST-V2-JS-SDK/yarn.lock

Lines 1656 to 1661 in 475c6a6

isomorphic-fetch:
version "2.2.1"
resolved "https://registry.yarnpkg.com/isomorphic-fetch/-/isomorphic-fetch-2.2.1.tgz#611ae1acf14f5e81f729507472819fe9733558a9"
dependencies:
node-fetch "^1.0.1"
whatwg-fetch ">=0.10.0" 

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ node-fetch is vulnerable to Exposure of Sensitive            │
│               │ Information to an Unauthorized Actor                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ node-fetch                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.6.7                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ isomorphic-fetch                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ isomorphic-fetch > node-fetch                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1006899                     │
└───────────────┴──────────────────────────────────────────────────────────────┘

Overriding node-fetch to a safe version is not currently an option

Testing with node-fetch version 2.6.7, the following TypeError is encountered TypeError: Cannot read properties of undefined (reading 'content-type') handling responses here:

AvaTax-REST-V2-JS-SDK/lib/AvaTaxClient.js

Lines 88 to 89 in 475c6a6

var contentType = res.headers._headers['content-type'];
var contentLength = res.headers._headers['content-length'];

Would it be possible to prioritize a fix for this vulnerability?
@RodneyMorgan97
Copy link

I'm attempting to leverage the client.resolveAddressPost(address); function in NextJS (Typescript) and am also receiving TypeError: Cannot read properties of undefined (reading 'content-type') on response.

Prioritizing fix for this would be much appreciated!

@eboureau
Copy link

My PR #214 should address this issue

@eboureau eboureau mentioned this issue Feb 10, 2022
Open
@jwenger100 jwenger100 mentioned this issue May 11, 2022
Merged
@nathanlodge
Copy link
Author

Resolved by 7d87bb4

@chelevich
Copy link

Should it make the package version bumped to 22.3.1?

@chelevich
Copy link

Resolved in 22.5.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@eboureau @chelevich @nathanlodge @RodneyMorgan97