Denial of Service

Module: ecstatic

Published: December 13th, 2017

Reported by: Checkmarx



Vulnerable: < 2.0.0
Patched: >=2.0.0


ecstatic, a simple static file server middleware, is vulnerable to denial of service. If a payload with a large number of null bytes (%00) is provided by an attacker it can crash ecstatic by running it out of memory.

Results from the original advisory

A payload of 22kB caused a lag of 1 second,
A payload of 35kB caused a lag of 3 seconds,
A payload of 86kB caused the server to crash


Upgrade to the latest version.


Sign up FREE for
nsp Continuous Security

Free for open source and the first private repo,
then just $1/mo per private repo