CVE-2016-10703
HIGH7.5EPSS 1.5%Denial of Service in ecstatic
Published: 12/28/2017Modified: 11/8/2023
Description
`ecstatic`, a simple static file server middleware, is vulnerable to denial of service. If a payload with a large number of null bytes (`%00`) is provided by an attacker it can crash ecstatic by running it out of memory. [Results from the original advisory](https://www.checkmarx.com/advisories/denial-of-service-dos-vulnerability-in-ecstatic-npm-package/) ``` A payload of 22kB caused a lag of 1 second, A payload of 35kB caused a lag of 3 seconds, A payload of 86kB caused the server to crash ``` ## Recommendation Update to version 2.0.0 or later.
Affected packages (1)
- npm/ecstaticfrom 0, < 2.0.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References (8)
- ADVISORYhttps://github.com/advisories/GHSA-pm9p-9926-w68m
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2016-10703
- PATCHhttps://github.com/jfhbrook/node-ecstatic
- WEBhttps://advisory.checkmarx.net/advisory/CX-2016-4450
- WEBhttps://github.com/jfhbrook/node-ecstatic/commit/71ce93988ead4b561a8592168c72143907189f01
- WEBhttps://github.com/jfhbrook/node-ecstatic/commit/71ce93988ead4b561a8592168c72143907189f01#diff-b2b5a88fb51675f1aa1065c093dce1ee
- WEBhttps://www.checkmarx.com/advisories/denial-of-service-dos-vulnerability-in-ecstatic-npm-package
- WEBhttps://www.npmjs.com/advisories/553