All node-fetch CVEs — Complete Vulnerability History

Last updated: April 1, 2026 · Data: OSV Database

node-fetch is a lightweight fetch implementation for Node.js. The main CVE is a credential exposure vulnerability when following redirects.

npm 80M+ weekly downloads 2 CVEs total

Full CVE history

CVE	Year	Severity	Description	Fix
CVE-2022-0235	2022	HIGH	Credential exposure via redirect to different host	Fixed 2.6.7
CVE-2023-44487	2023	HIGH	HTTP/2 rapid reset (via transitive dep)	Fixed 3.3.2

Current safe version: 3.3.2

# Before

"node-fetch": "2.6.1"

# After

"node-fetch": "3.3.2"

Then run: npm install

node-fetch CVEs and safe versions

node-fetch is a lightweight fetch implementation for Node.js. It has had several significant CVEs related to URL handling and SSRF. Many projects have migrated to the native Node.js fetch (available since Node 18) to avoid this dependency entirely.

Known node-fetch CVEs

CVE	Severity	Description	Safe Version
CVE-2022-0235	HIGH	Exposure of sensitive info via redirect to non-HTTP URL	2.6.7+ or 3.1.1+
CVE-2020-15168	MED	No size limit on response body — DoS risk	2.6.1+ or 3.0.0+

Fix node-fetch

# node-fetch v2 (CommonJS)
npm install node-fetch@2.7.0

# node-fetch v3 (ESM only)
npm install node-fetch@3.3.2

# Verify
npm list node-fetch

Migrate to native fetch (recommended)

Node.js 18+ includes a built-in fetch implementation. If you are on Node 18+, consider removing node-fetch entirely and using the native global fetch — one less dependency, no CVEs to track.

# Check your Node version
node --version

# If Node 18+, just use:
const response = await fetch('https://api.example.com/data');
const data = await response.json();

# Remove node-fetch from package.json
npm uninstall node-fetch

NVD entries for node-fetch CVEs:
CVE-2020-15168 — No size limit on response body (fixed 2.6.1+) · CVE-2022-0235 — Sensitive info via redirect (fixed 2.6.7+ or 3.1.1+)

Paste your manifest — see your exact versions against the full CVE history.

Scan with PackageFix →

Free · No signup · No CLI · Runs in your browser

Common questions

Should I use node-fetch or the built-in fetch?

Node.js 18+ has a built-in fetch implementation. For new Node 18+ projects, the built-in fetch is preferred. For Node 16 or earlier, use node-fetch 3.x.

Is there a breaking change between node-fetch 2 and 3?

Yes — node-fetch 3 is ESM-only. If your project uses CommonJS (require()), you need to stay on node-fetch 2.6.7 or use a dynamic import() wrapper.