CVE-2022-0235: 
JavaScript vulnerability analysis and mitigation

CVE-2022-0235 affects node-fetch, a Node.js module that provides a window.fetch compatible API. The vulnerability was discovered in January 2022 and involves exposure of sensitive information to unauthorized actors when following redirects (NVD, Debian LTS). The affected versions include node-fetch versions up to (excluding) 3.1.1.

The vulnerability stems from node-fetch not properly honoring the same-origin policy when handling redirects. When following a redirect to a third-party domain, the module would incorrectly forward sensitive headers such as cookies to the target URL. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (MEDIUM) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability could lead to the exposure of sensitive information like cookies and authentication tokens to unauthorized third-party domains when the application follows redirects. This could potentially allow attackers to capture sensitive user data or session information (Debian LTS).

The vulnerability has been fixed in node-fetch version 3.1.1. The fix prevents forwarding of secure headers to third-party domains during redirects. Users should upgrade to version 3.1.1 or later to address this security issue (Node-fetch Commit).