CVE-2015-9242: Denial of Service in ecstatic
5
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.64893%
CWE
Published
6/7/2018
Updated
5/22/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
AV:N/AC:L/Au:N/C:N/I:N/A:P
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
ecstatic | npm | < 1.4.0 | 1.4.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from ecstatic's handling of HTTP headers in lib/ecstatic.js. The pre-patch code (lines 277-283) attempted to parse user-supplied 'modifiedSince' headers with Date.parse()/new Date() in a try-catch, but:
- Didn't first check if 'modifiedSince' was present
- Didn't handle cases where Date.parse() produced technically valid Date objects that later caused v8 crashes (e.g., dates beyond v8's internal limits)
- The patch added 'modifiedSince' presence checks and 'Invalid Date' validation, confirming the vulnerable pattern was in date parsing logic for these headers.