Denial of Service

Module: ecstatic

Published: December 13th, 2017

Reported by: Checkmarx

CVE-2016-10703

CWE-400

Vulnerable: < 2.0.0
Patched: >=2.0.0

Overview

ecstatic, a simple static file server middleware, is vulnerable to denial of service. If a payload with a large number of null bytes (%00) is provided by an attacker it can crash ecstatic by running it out of memory.

Results from the original advisory

A payload of 22kB caused a lag of 1 second,
A payload of 35kB caused a lag of 3 seconds,
A payload of 86kB caused the server to crash

Remediation

Upgrade to the latest version.

References

Sign up FREE for
nsp Continuous Security

Free for open source and the first private repo,
then just $1/mo per private repo