Skip to content

Open Redirect in ecstatic

high severity GitHub Reviewed Published Apr 1, 2020 • Updated Dec 15, 2020

Package

npm ecstatic (npm)

Affected versions

< 2.2.2
>= 3.0.0, < 3.3.2
>= 4.0.0, < 4.1.2

Patched versions

2.2.2
3.3.2
4.1.2

Description

Versions of ecstatic prior to 4.1.2, 3.3.2 or 2.2.2 are vulnerable to Open Redirect. The package fails to validate redirects, allowing attackers to craft requests that result in an HTTP 301 redirect to any other domains.

Recommendation

If using ecstatic 4.x, upgrade to 4.1.2 or later.
If using ecstatic 3.x, upgrade to 3.3.2 or later.
If using ecstatic 2.x, upgrade to 2.2.2 or later.

References

GHSA ID

GHSA-9q64-mpxx-87fg