Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTlxNjQtbXB4eC04N2Zn
Open Redirect in ecstatic
Versions of ecstatic prior to 4.1.2, 3.3.2 or 2.2.2 are vulnerable to Open Redirect. The package fails to validate redirects, allowing attackers to craft requests that result in an HTTP 301 redirect to any other domains.
Recommendation
If using ecstatic 4.x, upgrade to 4.1.2 or later.
If using ecstatic 3.x, upgrade to 3.3.2 or later.
If using ecstatic 2.x, upgrade to 2.2.2 or later.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTlxNjQtbXB4eC04N2Zn
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 4 years ago
Updated: over 1 year ago
Identifiers: GHSA-9q64-mpxx-87fg
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-10775
- https://www.npmjs.com/advisories/830
- https://github.com/advisories/GHSA-9q64-mpxx-87fg
Affected Packages
npm:ecstatic
Dependent packages: 714Dependent repositories: 48,008
Downloads: 1,109,984 last month
Affected Version Ranges: >= 4.0.0, < 4.1.2, >= 3.0.0, < 3.3.2, < 2.2.2
Fixed in: 4.1.2, 3.3.2, 2.2.2
All affected versions: 0.0.0, 0.0.1, 0.1.0, 0.1.1, 0.1.2, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.3.0, 0.3.1, 0.3.2, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.4.6, 0.4.7, 0.4.8, 0.4.9, 0.4.10, 0.4.11, 0.4.12, 0.4.13, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.5.6, 0.5.7, 0.5.8, 0.6.0, 0.6.1, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.7.6, 0.8.0, 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.0, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 2.0.0, 2.1.0, 2.2.0, 2.2.1, 3.0.0, 3.1.0, 3.1.1, 3.2.0, 3.2.1, 3.2.2, 3.3.0, 3.3.1, 4.0.0, 4.0.1, 4.0.2, 4.1.0, 4.1.1
All unaffected versions: 2.2.2, 3.3.2, 4.1.2, 4.1.4