CVE-2022-1365 in cross-fetchinfo

Summary

by MITRE • 04/16/2022

Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository lquixada/cross-fetch prior to 3.1.5.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 05/09/2026

The vulnerability in question involves the exposure of private personal information to unauthorized actors within the GitHub repository lquixada/cross-fetch prior to version 3.1.5. This repository serves as a cross-platform fetch implementation that bridges the gap between browser and Node.js environments, making it a widely used dependency in modern web applications. The exposure occurs through improper handling of sensitive data during HTTP request processing, where personal information may be inadvertently logged or transmitted without adequate protection measures.

The technical flaw stems from insufficient input validation and output sanitization mechanisms within the library's request handling code. When processing HTTP requests, the library fails to properly sanitize or mask sensitive data that may be present in headers, cookies, or request parameters. This vulnerability creates a pathway for attackers to intercept and access personal information such as authentication tokens, user identifiers, session data, and other confidential metadata that flows through the fetch implementation. The issue manifests particularly when the library logs request details for debugging purposes or when it forwards sensitive information to third-party services without proper encryption or access controls.

The operational impact of this vulnerability extends beyond simple data exposure, as it can enable various attack vectors including credential theft, session hijacking, and identity impersonation. Attackers can leverage this vulnerability to gain unauthorized access to user accounts, steal personal data, or perform malicious activities on behalf of legitimate users. The widespread adoption of cross-fetch as a core dependency in numerous applications amplifies the potential scope of impact, as a single vulnerable implementation can compromise multiple systems and user bases. This vulnerability directly aligns with CWE-209, which addresses exposure of system information to an unauthorized actor, and represents a significant security risk in environments where personal data processing is involved.

Mitigation strategies should focus on immediate version updates to 3.1.5 or later, which contain the necessary patches to address the information exposure issue. Organizations must conduct comprehensive dependency audits to identify all systems using vulnerable versions of cross-fetch and implement proper access controls for sensitive data handling. The implementation of secure coding practices including input validation, output encoding, and proper logging controls should be enforced across all development environments. Security monitoring systems should be enhanced to detect and alert on suspicious data transmission patterns, while network segmentation and encryption protocols should be strengthened to protect sensitive information in transit. Additionally, organizations should consider implementing automated dependency scanning tools to prevent future introduction of vulnerable components into their software supply chains, aligning with ATT&CK technique T1583.001 for supply chain compromise prevention and T1071.004 for application layer protocol usage monitoring.

Reservation

04/14/2022

Disclosure

04/16/2022

Moderation

accepted

CPE

ready

EPSS

0.01153

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!