CVE-2015-9242: Improper Input Validation

June 7, 2018 (updated January 8, 2021)

Certain input strings when passed to new Date() or Date.parse() in ecstatic node module before 1.4.0 will cause v8 to raise an exception. This leads to a crash and denial of service in ecstatic when this input is passed into the server via the If-Modified-Since header.

References

bugs.chromium.org/p/v8/issues/detail?id=4640
github.com/advisories/GHSA-vwjc-q9px-r9vq
github.com/jfhbrook/node-ecstatic/pull/179
nodesecurity.io/advisories/64
nvd.nist.gov/vuln/detail/CVE-2015-9242
www.npmjs.com/advisories/64

Code Behaviors & Features

Detect and mitigate CVE-2015-9242 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →