Skip to content

Open Redirect in ecstatic

High severity GitHub Reviewed Published Apr 1, 2020 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

npm ecstatic (npm)

Affected versions

< 2.2.2
>= 3.0.0, < 3.3.2
>= 4.0.0, < 4.1.2

Patched versions

2.2.2
3.3.2
4.1.2

Description

Versions of ecstatic prior to 4.1.2, 3.3.2 or 2.2.2 are vulnerable to Open Redirect. The package fails to validate redirects, allowing attackers to craft requests that result in an HTTP 301 redirect to any other domains.

Recommendation

If using ecstatic 4.x, upgrade to 4.1.2 or later.
If using ecstatic 3.x, upgrade to 3.3.2 or later.
If using ecstatic 2.x, upgrade to 2.2.2 or later.

References

Reviewed Apr 1, 2020
Published to the GitHub Advisory Database Apr 1, 2020
Last updated Jan 9, 2023

Severity

High

EPSS score

Weaknesses

URL Redirection to Untrusted Site ('Open Redirect')

A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. Learn more on MITRE.

CVE ID

No known CVE

GHSA ID

GHSA-9q64-mpxx-87fg

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.