CVE-2022-0235 Overview
CVE-2022-0235 is an information exposure vulnerability affecting the node-fetch library for Node.js. The vulnerability allows sensitive information to be exposed to unauthorized actors through improper handling of redirect responses, potentially leaking cookies and authorization headers to third-party domains when following cross-origin redirects.
Critical Impact
Applications using vulnerable versions of node-fetch may inadvertently leak sensitive authentication credentials including cookies and authorization headers to malicious third-party servers when processing redirect responses.
Affected Products
- node-fetch_project node-fetch
- siemens sinec_ins
- debian debian_linux
Discovery Timeline
- 2022-01-16 - CVE CVE-2022-0235 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-0235
Vulnerability Analysis
This vulnerability stems from improper handling of HTTP redirect responses in the node-fetch library. When a request is made to a URL that returns a redirect response (3xx status code) pointing to a different origin, the library fails to properly strip sensitive headers before following the redirect. This allows authorization headers and cookies originally intended for the first server to be transmitted to the redirect destination.
The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-601 (URL Redirection to Untrusted Site). This combination indicates both the information disclosure aspect and the underlying open redirect behavior that enables the attack.
Root Cause
The root cause lies in the redirect handling logic within node-fetch. When processing HTTP redirects, the library should sanitize request headers to remove authentication credentials before making requests to different origins. The vulnerable implementation failed to properly clear sensitive headers like Authorization and cookies when the redirect target was on a different domain than the original request.
Attack Vector
An attacker can exploit this vulnerability through a network-based attack requiring user interaction. The attack scenario involves:
- The attacker controls a malicious server or compromises a server that the victim application makes requests to
- When the victim application sends an authenticated request (containing authorization headers or cookies) to this server, the attacker's server responds with an HTTP redirect to an attacker-controlled destination
- The vulnerable node-fetch library follows the redirect while preserving the sensitive authentication headers
- The attacker's destination server receives and captures the victim's authentication credentials
This attack is particularly dangerous in server-side applications that fetch user-supplied URLs or interact with untrusted external services while authenticated.
Detection Methods for CVE-2022-0235
Indicators of Compromise
- Unexpected outbound HTTP requests from application servers to unknown external domains following redirects
- Authentication tokens or cookies appearing in logs from third-party servers
- Unusual redirect chains in network traffic originating from Node.js applications
- Server-side request logs showing credential headers being sent to unexpected destinations
Detection Strategies
- Monitor network traffic for HTTP requests that follow redirects to external domains while carrying authorization headers
- Implement application-level logging to track redirect chains and header propagation
- Use dependency scanning tools to identify vulnerable versions of node-fetch in your codebase
- Review application logs for unusual authentication patterns or credential exposure events
Monitoring Recommendations
- Deploy network monitoring to detect cross-origin redirects with preserved authentication headers
- Implement alerting for node-fetch library usage in production environments pending patch verification
- Utilize Software Composition Analysis (SCA) tools to continuously monitor for vulnerable dependencies
- Establish baseline network behavior to detect anomalous redirect patterns
How to Mitigate CVE-2022-0235
Immediate Actions Required
- Update node-fetch to a patched version that properly strips sensitive headers on cross-origin redirects
- Audit applications for usage patterns that may expose authentication credentials through redirects
- Implement URL validation to restrict redirect destinations to trusted domains
- Review and update dependency manifests to ensure patched versions are specified
Patch Information
A patch has been released by the node-fetch project to address this vulnerability. The fix is available in the GitHub commit 36e47e8a6406185921e4985dcbeff140d73eaa10. Organizations using Siemens SINEC INS should review the Siemens Security Advisory SSA-637483 for product-specific guidance. Debian Linux users should apply updates per the Debian LTS Announcement.
Workarounds
- Configure redirect handling to manually follow redirects (redirect: 'manual') and implement custom logic to strip sensitive headers before following cross-origin redirects
- Implement a wrapper around node-fetch that validates redirect destinations against an allowlist of trusted domains
- Use network-level controls to restrict outbound connections from application servers to known trusted destinations
- Consider alternative HTTP client libraries with more robust redirect handling if immediate patching is not possible
# Configuration example
# Update node-fetch in package.json to patched version
npm update node-fetch
# Verify installed version
npm list node-fetch
# For yarn users
yarn upgrade node-fetch
# Audit dependencies for known vulnerabilities
npm audit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
