Open Redirect

Affecting ecstatic package, versions <2.2.2 || >=3.0.0 <3.3.2 || >=4.0.0 <4.1.2

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

ecstatic is a simple static file server middleware. Use it with a raw http server, express/connect or on the CLI.

Affected versions of this package are vulnerable to Open Redirect. The package failed to validate redirects, allowing attackers to craft requests that result in an HTTP 301 redirect to any other domains.

Remediation

Upgrade ecstatic to version 2.2.2, 3.3.2, 4.1.2 or higher.

References

CVSS Score

5.4
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    None
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Credit
Mario Casola
CWE
CWE-601
Snyk ID
SNYK-JS-ECSTATIC-174543
Disclosed
23 Apr, 2019
Published
30 Apr, 2019