CVE-2019-10775
Denial of Service vulnerability in ecstatic (npm)

Denial of Service No known exploit Fixable By Resolved Security

What is CVE-2019-10775 About?

The 'ecstatic' package is susceptible to a denial of service vulnerability. This flaw can lead to the crash of an application, making it unavailable to legitimate users. Exploitation is typically straightforward if the vulnerable component is exposed.

Affected Software

ecstatic <4.1.3

Technical Details

The 'ecstatic' package contains a denial of service vulnerability where processing certain types of requests or data can cause the application to consume excessive resources or encounter an unhandled error, leading to a crash. The exact mechanism might involve recursive calls, unbounded memory allocation, or inefficient parsing operations that are triggered by malicious input. When such input is supplied, the application becomes unresponsive and terminates, resulting in a denial of service condition for users.

What is the Impact of CVE-2019-10775?

Successful exploitation may allow attackers to cause applications to crash, leading to service disruption and unavailability for legitimate users.

What is the Exploitability of CVE-2019-10775?

Exploitation typically involves sending crafted requests or data that trigger the resource exhaustion or error condition within the 'ecstatic' application. The complexity is generally low, as it often does not require complex attack vectors. There are no specific authentication or privilege requirements; any user capable of interacting with the vulnerable application endpoint can potentially trigger the DoS. Access is typically remote. Risk factors include publicly exposed 'ecstatic' instances that do not adequately validate or limit user input, making them vulnerable to readily available attack techniques.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2019-10775?

A Fix by Resolved Security Exists!
See how we help you strengthen security with automated backported fixes for your libraries.

About the Fix from Resolved Security

The patch introduces the ensureUriEncoded function, which sanitizes URLs by encoding unsafe characters (such as control characters and non-ASCII), and applies it when setting request URLs and redirect locations. This prevents malicious input from being interpreted as special characters or control sequences by downstream code or clients, thus fixing vulnerability CVE-2019-10775, which allowed an attacker to inject unencoded control characters or non-URL-safe bytes into HTTP headers or file paths, potentially leading to HTTP response splitting or path traversal attacks.

Available Upgrade Options

  • ecstatic
    • <4.1.3 → Upgrade to 4.1.3

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2019-10775?

Similar Vulnerabilities: CVE-2019-10774 , CVE-2018-3720 , CVE-2019-10776 , CVE-2019-10777 , CVE-2020-14039

All Rights reserved 2025
Privacy Policy