CVE-2015-9242 — Denial of Service in ecstatic

Description

Versions of `ecstatic` prior to 1.4.0 are affected by a denial of service vulnerability when certain input strings are sent via the `Last-Modified` or `If-Modified-Since` headers. Parsing certain inputs with `new Date()` or `Date.parse()` cases v8 to crash. As ecstatic passes the value of the affected headers into one of these functions, sending certain inputs via one of the headers will cause the server to crash. ## Recommendation Update to version 1.4.0 or later.

How to fix CVE-2015-9242

To remediate CVE-2015-9242, upgrade the affected package to a fixed version below.

—upgrade to 1.4.0 or later

Is CVE-2015-9242 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.4.0

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2015-9242
PATCHgithub.com/jfhbrook/node-ecstatic
WEBbugs.chromium.org/p/v8/issues/detail?id=4640
WEBgithub.com/jfhbrook/node-ecstatic/commit/0d0a2779ac5e5843d3745920212dfac9b69440e2