CVE-2020-15168 Overview
CVE-2020-15168 is an improper input validation vulnerability in node-fetch, a popular Node.js module that provides a fetch API similar to the browser's window.fetch. The vulnerability occurs because node-fetch did not honor the size option after following an HTTP redirect, which means that when content size exceeded the configured limit, a FetchError would never be thrown and the process would complete without failure.
Critical Impact
Applications relying on node-fetch's size option to gate large files are vulnerable to denial of service attacks and potential cost overruns from processing unexpectedly large payloads.
Affected Products
- node-fetch versions prior to 2.6.1
- node-fetch versions 3.0.0-beta1 through 3.0.0-beta8
- Applications using node-fetch with size limits and redirect handling
Discovery Timeline
- 2020-09-10 - CVE CVE-2020-15168 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-15168
Vulnerability Analysis
The vulnerability exists in how node-fetch handles the size option when processing HTTP redirects. When a request is made with a size limit configured and the server responds with a redirect (301, 302, 303, 307, 308), node-fetch follows the redirect but fails to carry forward the original size constraint. This means the size validation that would normally trigger a FetchError when content exceeds the limit is bypassed entirely.
This behavior is particularly dangerous for applications that depend on the size option as a security control to prevent processing of unexpectedly large responses. An attacker who controls the target server or can inject redirect responses could exploit this to force the application to download and process arbitrarily large files.
The vulnerability maps to CWE-20 (Improper Input Validation) and CWE-770 (Allocation of Resources Without Limits or Throttling), as the size constraint—a critical resource allocation control—is improperly validated after redirect handling.
Root Cause
The root cause lies in the redirect handling logic within node-fetch. When constructing a new request to follow a redirect, the implementation failed to propagate the size option from the original request configuration. This oversight meant that the follow-up request operated without any size constraints, regardless of what was specified in the initial fetch call.
Attack Vector
The attack vector is network-based and requires no user interaction or privileges. An attacker can exploit this vulnerability by:
- Setting up a malicious server that responds with an HTTP redirect to a resource serving a large payload
- Waiting for a vulnerable application to make a request with a size limit to the attacker's server
- The redirect causes the size limit to be discarded, allowing the large payload to be fully downloaded and processed
This can result in denial of service through CPU/memory exhaustion when the application attempts to process the oversized content, as well as increased computing costs for cloud-hosted applications that pay for bandwidth or processing.
The vulnerability manifests in the redirect handling logic where the size option is not preserved across redirect requests. For technical implementation details, see the GitHub Security Advisory.
Detection Methods for CVE-2020-15168
Indicators of Compromise
- Unusual memory consumption spikes in Node.js applications using node-fetch
- Unexpected network traffic volume from applications making HTTP requests with redirects
- Increased processing time for HTTP requests that involve redirects
- Application crashes or slowdowns correlated with external HTTP requests
Detection Strategies
- Audit package.json and package-lock.json files for node-fetch versions below 2.6.1 or beta versions prior to 3.0.0-beta.9
- Use software composition analysis (SCA) tools to identify vulnerable node-fetch dependencies
- Monitor application logs for unexpectedly large response processing after redirect operations
- Implement runtime monitoring for Node.js memory and CPU usage anomalies
Monitoring Recommendations
- Enable application performance monitoring (APM) to track memory usage patterns in Node.js processes
- Configure alerts for HTTP requests that exceed normal response size thresholds
- Monitor network egress patterns for applications that consume external HTTP resources
- Implement logging for all HTTP redirects handled by the application to identify suspicious redirect chains
How to Mitigate CVE-2020-15168
Immediate Actions Required
- Upgrade node-fetch to version 2.6.1 or later for the 2.x branch
- Upgrade node-fetch to version 3.0.0-beta.9 or later for the 3.x beta branch
- Implement secondary size validation after fetch operations complete
- Review application code to identify all uses of node-fetch with size limits
Patch Information
The node-fetch project has released patched versions that properly propagate the size option through redirect handling. Users should upgrade to:
- Version 2.6.1 for stable release users
- Version 3.0.0-beta.9 for beta users
The patch can be obtained from the NPM Package Registry. For detailed information about the security fix, refer to the GitHub Security Advisory.
Workarounds
- Implement manual size validation after fetch completes by checking response.headers.get('content-length') before processing the body
- Add application-level limits on response body size regardless of node-fetch configuration
- Configure network-level controls to limit maximum response sizes from external sources
- Disable automatic redirect following with redirect: 'manual' and implement custom redirect handling with size preservation
# Update node-fetch to patched version
npm update node-fetch@^2.6.1
# Or for specific version installation
npm install node-fetch@2.6.1 --save
# Audit for vulnerable dependencies
npm audit fix
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
