CVE-2015-9242 – ecstatic

Package

Manager: npm
Name: ecstatic
Vulnerable Version: >=0 <1.4.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:U/RC:R

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00498 pctl0.64881

Details

Denial of Service in ecstatic Versions of `ecstatic` prior to 1.4.0 are affected by a denial of service vulnerability when certain input strings are sent via the `Last-Modified` or `If-Modified-Since` headers. Parsing certain inputs with `new Date()` or `Date.parse()` cases v8 to crash. As ecstatic passes the value of the affected headers into one of these functions, sending certain inputs via one of the headers will cause the server to crash. ## Recommendation Update to version 1.4.0 or later.

Metadata

Created: 2018-06-07T19:43:11Z
Modified: 2023-05-22T15:35:11Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/06/GHSA-vwjc-q9px-r9vq/GHSA-vwjc-q9px-r9vq.json
CWE IDs: ["CWE-400"]
Alternative ID: GHSA-vwjc-q9px-r9vq
Finding: F002
Auto approve: 1