CVE-2015-9242

EPSS 0.50%

Denial of Service in ecstatic

Published: 6/7/2018Modified: 11/8/2023

Description

Versions of `ecstatic` prior to 1.4.0 are affected by a denial of service vulnerability when certain input strings are sent via the `Last-Modified` or `If-Modified-Since` headers. Parsing certain inputs with `new Date()` or `Date.parse()` cases v8 to crash. As ecstatic passes the value of the affected headers into one of these functions, sending certain inputs via one of the headers will cause the server to crash. ## Recommendation Update to version 1.4.0 or later.

Affected packages (1)

npm/ecstaticfrom 0, < 1.4.0

References (5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2015-9242
PATCHhttps://github.com/jfhbrook/node-ecstatic
WEBhttps://bugs.chromium.org/p/v8/issues/detail?id=4640
WEBhttps://github.com/jfhbrook/node-ecstatic/commit/0d0a2779ac5e5843d3745920212dfac9b69440e2
WEBhttps://github.com/jfhbrook/node-ecstatic/pull/179