Versions of `ecstatic` prior to 1.4.0 are affected by a denial of service vulnerability when certain input strings are sent via the `Last-Modified` or `If-Modified-Since` headers.

Parsing certain inputs with `new Date()` or `Date.parse()` cases v8 to crash. As ecstatic passes the value of the affected headers into one of these functions, sending certain inputs via one of the headers will cause the server to crash.

## Recommendation

Update to version 1.4.0 or later.

Affected Packages

npm ecstatic

Affected versions: 0 (fixed in 1.4.0)

Related CVEs

CVE-2015-9242

Key Information

GHSA ID

GHSA-vwjc-q9px-r9vq

Published

June 7, 2018 7:43 PM

Last Modified

May 22, 2023 3:35 PM

CVSS Score

7.5 /10

Primary Ecosystem

npm

Primary Package

ecstatic

GitHub Reviewed

✓ Yes

Dataset

Last updated: November 25, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.