Описание
Denial of Service in ecstatic
ecstatic, a simple static file server middleware, is vulnerable to denial of service. If a payload with a large number of null bytes (%00) is provided by an attacker it can crash ecstatic by running it out of memory.
Results from the original advisory
A payload of 22kB caused a lag of 1 second,
A payload of 35kB caused a lag of 3 seconds,
A payload of 86kB caused the server to crash
Recommendation
Update to version 2.0.0 or later.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2016-10703
- https://github.com/jfhbrook/node-ecstatic/commit/71ce93988ead4b561a8592168c72143907189f01
- https://github.com/jfhbrook/node-ecstatic/commit/71ce93988ead4b561a8592168c72143907189f01#diff-b2b5a88fb51675f1aa1065c093dce1ee
- https://advisory.checkmarx.net/advisory/CX-2016-4450
- https://github.com/advisories/GHSA-pm9p-9926-w68m
- https://www.checkmarx.com/advisories/denial-of-service-dos-vulnerability-in-ecstatic-npm-package
- https://www.npmjs.com/advisories/553
Пакеты
Наименование
ecstatic
npm
Затронутые версииВерсия исправления
< 2.0.0
2.0.0
Связанные уязвимости
CVSS3: 7.5
nvd
около 8 лет назад
A regular expression Denial of Service (DoS) vulnerability in the file lib/ecstatic.js of the ecstatic npm package, before version 2.0.0, allows a remote attacker to overload and crash a server by passing a maliciously crafted string.