Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXZ3amMtcTlweC1yOXZx

Denial of Service in ecstatic

Versions of ecstatic prior to 1.4.0 are affected by a denial of service vulnerability when certain input strings are sent via the Last-Modified or If-Modified-Since headers.

Parsing certain inputs with new Date() or Date.parse() cases v8 to crash. As ecstatic passes the value of the affected headers into one of these functions, sending certain inputs via one of the headers will cause the server to crash.

Recommendation

Update to version 1.4.0 or later.

Permalink: https://github.com/advisories/GHSA-vwjc-q9px-r9vq
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXZ3amMtcTlweC1yOXZx
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 6 years ago
Updated: 12 months ago

Identifiers: GHSA-vwjc-q9px-r9vq, CVE-2015-9242
References:

Repository: https://github.com/jfhbrook/node-ecstatic
Blast Radius: 0.0

Affected Packages

npm:ecstatic

Dependent packages: 714
Dependent repositories: 48,008
Downloads: 1,109,984 last month
Affected Version Ranges: < 1.4.0
Fixed in: 1.4.0
All affected versions: 0.0.0, 0.0.1, 0.1.0, 0.1.1, 0.1.2, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.3.0, 0.3.1, 0.3.2, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.4.6, 0.4.7, 0.4.8, 0.4.9, 0.4.10, 0.4.11, 0.4.12, 0.4.13, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.5.6, 0.5.7, 0.5.8, 0.6.0, 0.6.1, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.7.6, 0.8.0, 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.0, 1.3.0, 1.3.1
All unaffected versions: 1.4.0, 1.4.1, 2.0.0, 2.1.0, 2.2.0, 2.2.1, 2.2.2, 3.0.0, 3.1.0, 3.1.1, 3.2.0, 3.2.1, 3.2.2, 3.3.0, 3.3.1, 3.3.2, 4.0.0, 4.0.1, 4.0.2, 4.1.0, 4.1.1, 4.1.2, 4.1.4