ecstatic
, a simple static file server middleware, is vulnerable to denial of service. If a payload with a large number of null bytes (%00
) is provided by an attacker it can crash ecstatic by running it out of memory.
Results from the original advisory
A payload of 22kB caused a lag of 1 second,
A payload of 35kB caused a lag of 3 seconds,
A payload of 86kB caused the server to crash
Update to version 2.0.0 or later.
advisory.checkmarx.net/advisory/CX-2016-4450
github.com/advisories/GHSA-pm9p-9926-w68m
github.com/jfhbrook/node-ecstatic
github.com/jfhbrook/node-ecstatic/commit/71ce93988ead4b561a8592168c72143907189f01
github.com/jfhbrook/node-ecstatic/commit/71ce93988ead4b561a8592168c72143907189f01#diff-b2b5a88fb51675f1aa1065c093dce1ee
nvd.nist.gov/vuln/detail/CVE-2016-10703
www.checkmarx.com/advisories/denial-of-service-dos-vulnerability-in-ecstatic-npm-package
www.npmjs.com/advisories/553