CVE-2022-1365: Withdrawn Advisory: Incorrect Authorization in cross-fetch

April 17, 2022 (updated October 8, 2025)

Withdrawn Advisory

This advisory has been withdrawn because the vulnerability originates from a dependency. For more information, see the Maintainer comments in https://huntr.com/bounties/ab55dfdd-2a60-437a-a832-e3efe3d264ac.

Original Description

When fetching a remote url with Cookie if it get Location response header then it will follow that url and try to fetch that url with provided cookie . So cookie is leaked here to thirdparty. Ex: you try to fetch example.com with cookie and if it get redirect url to attacker.com then it fetch that redirect url with provided cookie .

References

github.com/advisories/GHSA-7gc6-qh9x-w6h8
github.com/lquixada/cross-fetch
github.com/lquixada/cross-fetch/commit/a3b3a9481091ddd06b8f83784ba9c4e034dc912a
github.com/lquixada/cross-fetch/pull/135
huntr.dev/bounties/ab55dfdd-2a60-437a-a832-e3efe3d264ac
nvd.nist.gov/vuln/detail/CVE-2022-1365

Code Behaviors & Features

Detect and mitigate CVE-2022-1365 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →