All node-fetch CVEs — Complete Vulnerability History
node-fetch is a lightweight fetch implementation for Node.js. The main CVE is a credential exposure vulnerability when following redirects.
npm
80M+ weekly downloads
2 CVEs total
Full CVE history
| CVE | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2022-0235 | 2022 | HIGH | Credential exposure via redirect to different host | Fixed 2.6.7 |
| CVE-2023-44487 | 2023 | HIGH | HTTP/2 rapid reset (via transitive dep) | Fixed 3.3.2 |
Current safe version: 3.3.2
# Before
"node-fetch": "2.6.1"
# After
"node-fetch": "3.3.2"
Then run: npm install
Paste your manifest — see your exact versions against the full CVE history.
Scan with PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
Should I use node-fetch or the built-in fetch?
Node.js 18+ has a built-in fetch implementation. For new Node 18+ projects, the built-in fetch is preferred. For Node 16 or earlier, use node-fetch 3.x.
Is there a breaking change between node-fetch 2 and 3?
Yes — node-fetch 3 is ESM-only. If your project uses CommonJS (require()), you need to stay on node-fetch 2.6.7 or use a dynamic import() wrapper.