5

CVSS Score

Basic Information

CVE ID

CVE-2015-9242

GHSA ID

GHSA-vwjc-q9px-r9vq

EPSS Score

0.64893%

CWE

CWE-400

Published

6/7/2018

Updated

5/22/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2015-9242

CVE-2015-9242: Denial of Service in ecstatic

Versions of ecstatic prior to 1.4.0 are affected by a denial of service vulnerability when certain input strings are sent via the Last-Modified or If-Modified-Since headers.

Parsing certain inputs with new Date() or Date.parse() cases v8 to crash. As ecstatic passes the value of the affected headers into one of these functions, sending certain inputs via one of the headers will cause the server to crash.

Recommendation

Update to version 1.4.0 or later.

(GitHub Advisory)

5

CVSS Score

Basic Information

CVE ID

CVE-2015-9242

GHSA ID

GHSA-vwjc-q9px-r9vq

EPSS Score

0.64893%

CWE

CWE-400

Published

6/7/2018

Updated

5/22/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

AV:N/AC:L/Au:N/C:N/I:N/A:P

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
ecstatic	npm	< 1.4.0	1.4.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from ecstatic's handling of HTTP headers in lib/ecstatic.js. The pre-patch code (lines 277-283) attempted to parse user-supplied 'modifiedSince' headers with Date.parse()/new Date() in a try-catch, but:

Didn't first check if 'modifiedSince' was present
Didn't handle cases where Date.parse() produced technically valid Date objects that later caused v8 crashes (e.g., dates beyond v8's internal limits)
The patch added 'modifiedSince' presence checks and 'Invalid Date' validation, confirming the vulnerable pattern was in date parsing logic for these headers.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rsions o* `**st*ti*` prior to *.*.* *r* *****t** *y * **ni*l o* s*rvi** vuln*r**ility w**n **rt*in input strin*s *r* s*nt vi* t** `L*st-Mo*i*i**` or `I*-Mo*i*i**-Sin**` *****rs. P*rsin* **rt*in inputs wit* `n*w **t*()` or `**t*.p*rs*()` **s*s v* t

Reasoning

T** vuln*r**ility st*ms *rom **st*ti*'s **n*lin* o* *TTP *****rs in li*/**st*ti*.js. T** pr*-p*t** *o** (lin*s ***-***) *tt*mpt** to p*rs* us*r-suppli** 'mo*i*i**Sin**' *****rs wit* **t*.p*rs*()/n*w **t*() in * try-**t**, *ut: *. *i*n't *irst ****k i

5

Basic Information

Concerned about an active attack path?

CVE-2015-9242: Denial of Service in ecstatic

Recommendation

5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI