Miggo Logo

CVE-2015-9242: Denial of Service in ecstatic

5

CVSS Score

Basic Information

EPSS Score
0.64893%
Published
6/7/2018
Updated
5/22/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
AV:N/AC:L/Au:N/C:N/I:N/A:P
Package NameEcosystemVulnerable VersionsFirst Patched Version
ecstaticnpm< 1.4.01.4.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from ecstatic's handling of HTTP headers in lib/ecstatic.js. The pre-patch code (lines 277-283) attempted to parse user-supplied 'modifiedSince' headers with Date.parse()/new Date() in a try-catch, but:

  1. Didn't first check if 'modifiedSince' was present
  2. Didn't handle cases where Date.parse() produced technically valid Date objects that later caused v8 crashes (e.g., dates beyond v8's internal limits)
  3. The patch added 'modifiedSince' presence checks and 'Invalid Date' validation, confirming the vulnerable pattern was in date parsing logic for these headers.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rsions o* `**st*ti*` prior to *.*.* *r* *****t** *y * **ni*l o* s*rvi** vuln*r**ility w**n **rt*in input strin*s *r* s*nt vi* t** `L*st-Mo*i*i**` or `I*-Mo*i*i**-Sin**` *****rs. P*rsin* **rt*in inputs wit* `n*w **t*()` or `**t*.p*rs*()` **s*s v* t

Reasoning

T** vuln*r**ility st*ms *rom **st*ti*'s **n*lin* o* *TTP *****rs in li*/**st*ti*.js. T** pr*-p*t** *o** (lin*s ***-***) *tt*mpt** to p*rs* us*r-suppli** 'mo*i*i**Sin**' *****rs wit* **t*.p*rs*()/n*w **t*() in * try-**t**, *ut: *. *i*n't *irst ****k i