Fix cross-fetch — CVE-2022-1365 HIGH
Fix CVE-2022-1365 (HIGH) in cross-fetch for npm. Paste your package.json into PackageFix and get a patched version — no CLI, no signup. Exposure of credentials via url in http requests.
⚠ Vulnerability
CVE-2022-1365 (HIGH) — exposure of credentials via URL in HTTP requests in cross-fetch versions below 4.0.0.
Vulnerable Version — package.json
"cross-fetch": "3.1.5"
Fixed Version — package.json
"cross-fetch": "4.0.0"
✓ Fix
Update cross-fetch to 4.0.0 or later. Run npm install to apply. Verify with your ecosystem's audit tool after updating.
Paste your manifest — get back a fixed version with all CVEs patched in seconds.
Open PackageFix →No signup · No CLI · No GitHub connection · Runs 100% in your browser
CVE Details
| Field | Value |
|---|---|
| CVE ID | CVE-2022-1365 |
| Severity | HIGH |
| Package | cross-fetch (npm) |
| Vulnerable versions | Below 4.0.0 |
| Safe version | 4.0.0 |
| CISA KEV | — |
| Description | Exposure of credentials via url in http requests |
Frequently Asked Questions
What is CVE-2022-1365?
CVE-2022-1365 is a HIGH severity vulnerability in cross-fetch (npm). It allows exposure of credentials via URL in HTTP requests. Update to version 4.0.0 or later to fix it.
How do I fix CVE-2022-1365 in cross-fetch?
Update cross-fetch to version 4.0.0 in your package.json. Run npm install after updating to apply the fix.
Is CVE-2022-1365 being actively exploited?
Check the live CISA KEV catalog at packagefix.dev — PackageFix always reflects the current KEV status.
How do I check if I am affected by CVE-2022-1365?
Paste your package.json into PackageFix. If your installed version of cross-fetch is below 4.0.0, you are affected. PackageFix shows the exact CVE ID and fix version.
What search queries does this page target?
This page covers: cross-fetch CVE, cross-fetch vulnerability, cross-fetch security.