GMS-2020-712: Open Redirect in ecstatic

April 1, 2020 (updated December 15, 2020)

Versions of ecstatic prior to 4.1.2, 3.3.2 or 2.2.2 are vulnerable to Open Redirect. The package fails to validate redirects, allowing attackers to craft requests that result in an HTTP 301 redirect to any other domains.

Recommendation

If using ecstatic 4.x, upgrade to 4.1.2 or later. If using ecstatic 3.x, upgrade to 3.3.2 or later. If using ecstatic 2.x, upgrade to 2.2.2 or later.

References

github.com/advisories/GHSA-9q64-mpxx-87fg
nvd.nist.gov/vuln/detail/CVE-2019-10775
www.npmjs.com/advisories/830

Code Behaviors & Features

Detect and mitigate GMS-2020-712 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →