VYPR
← All advisories
High severity7.5NVD Advisory· Published Dec 14, 2017· Updated May 13, 2026

CVE-2016-10703

CVE-2016-10703

Description

A regular expression Denial of Service (DoS) vulnerability in the file lib/ecstatic.js of the ecstatic npm package, before version 2.0.0, allows a remote attacker to overload and crash a server by passing a maliciously crafted string.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
ecstaticnpm
< 2.0.02.0.0

Patches

1
71ce93988ead

Remove stripping of null bytes

https://github.com/jfhbrook/node-ecstaticJoshua HolbrookAug 9, 2016via ghsa
commit
1 file changed · +12 0
  • lib/ecstatic.js+12 0 modified
    @@ -52,9 +52,21 @@ var ecstatic = module.exports = function (dir, options) {
   return function middleware (req, res, next) {
 
     // Strip any null bytes from the url
+    // This was at one point necessary because of an old bug in url.parse
+    //
+    // See: https://github.com/jfhbrook/node-ecstatic/issues/16#issuecomment-3039914
+    // See: https://github.com/jfhbrook/node-ecstatic/commit/43f7e72a31524f88f47e367c3cc3af710e67c9f4
+    //
+    // But this opens up a regex dos attack vector! D:
+    //
+    // Based on some research (ie asking #node-dev if this is still an issue),
+    // it's *probably* not an issue. :)
+    /*
     while(req.url.indexOf('%00') !== -1) {
       req.url = req.url.replace(/\%00/g, '');
     }
+    */
+
     // Figure out the path for the file from the given url
     var parsed = url.parse(req.url);
     try {

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.