CVE-2016-10703 — Denial of Service in ecstatic

Description

`ecstatic`, a simple static file server middleware, is vulnerable to denial of service. If a payload with a large number of null bytes (`%00`) is provided by an attacker it can crash ecstatic by running it out of memory. [Results from the original advisory](https://www.checkmarx.com/advisories/denial-of-service-dos-vulnerability-in-ecstatic-npm-package/) ``` A payload of 22kB caused a lag of 1 second, A payload of 35kB caused a lag of 3 seconds, A payload of 86kB caused the server to crash ``` ## Recommendation Update to version 2.0.0 or later.

How to fix CVE-2016-10703

To remediate CVE-2016-10703, upgrade the affected package to a fixed version below.

—upgrade to 2.0.0 or later

Is CVE-2016-10703 being exploited?

Low — EPSS is 1.5%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.0.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (8)

ADVISORYgithub.com/advisories/GHSA-pm9p-9926-w68m
ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-10703
PATCHgithub.com/jfhbrook/node-ecstatic
WEBadvisory.checkmarx.net/advisory/CX-2016-4450
WEB