Description
basic-ftp is an FTP client for Node.js. Versions prior to 5.3.0 are vulnerable to denial of service through unbounded memory growth while processing directory listings from a remote FTP server. A malicious or compromised server can send an extremely large or never-ending listing response to `Client.list()`, causing the client process to consume memory until it becomes unstable or crashes. Version 5.3.0 fixes the issue.
Published: 2026-04-24
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch Immediately
AI Analysis

Impact

The issue is caused by unbounded memory consumption in the Client.list() method of the basic-ftp Node.js package. A malicious FTP server can send an excessively large or never‑ending directory listing, causing the client to allocate memory until the process becomes unstable or crashes. This results in a denial‑of‑service condition for applications that rely on the client. The weakness is classified as uncontrolled resource consumption (CWE‑400) and resource exhaustion (CWE‑770).

Affected Systems

The vulnerability affects the basic-ftp library distributed by patrickjuchli for Node.js. Versions earlier than 5.3.0 are impacted. Applications that import and use basic‑ftp for FTP operations must ensure they run a version that is not susceptible to the flaw.

Risk and Exploitability

The CVSS base score for this flaw is 7.5, indicating a high impact. The EPSS score is below 1%, suggesting a low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The most likely attack vector requires the attacker to control or compromise an FTP server that the client connects to; the attacker can then issue a tailored listing response designed to trigger the memory‑leak in Client.list(). The flaw’s nature means that any application that relies on unfiltered directory listings is at risk, but sensitive services will only be affected if the attacker can force the client to process the malicious data.

Generated by OpenCVE AI on April 28, 2026 at 06:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade basic-ftp to version 5.3.0 or later.
  • Configure the FTP server to limit the size or number of entries returned in directory listings, or enforce a timeout for long responses.
  • Implement client‑side checks to truncate or abort listing operations that exceed a reasonable size threshold.

Generated by OpenCVE AI on April 28, 2026 at 06:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rp42-5vxx-qpwr basic-ftp vulnerable to denial of service via unbounded memory consumption in Client.list()
History

Mon, 27 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Patrickjuchli
Patrickjuchli basic-ftp
CPEs cpe:2.3:a:patrickjuchli:basic-ftp:*:*:*:*:*:node.js:*:*
Vendors & Products Patrickjuchli
Patrickjuchli basic-ftp

Sun, 26 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 24 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 04:00:00 +0000

Type Values Removed Values Added
Description basic-ftp is an FTP client for Node.js. Versions prior to 5.3.0 are vulnerable to denial of service through unbounded memory growth while processing directory listings from a remote FTP server. A malicious or compromised server can send an extremely large or never-ending listing response to `Client.list()`, causing the client process to consume memory until it becomes unstable or crashes. Version 5.3.0 fixes the issue.
Title basic-ftp vulnerable to denial of service via unbounded memory consumption in Client.list()
Weaknesses CWE-400
CWE-770
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Patrickjuchli Basic-ftp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-24T18:50:23.130Z

Reserved: 2026-04-20T14:01:46.672Z

Link: CVE-2026-41324

cve-icon Vulnrichment

Updated: 2026-04-24T18:49:34.435Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T04:16:20.767

Modified: 2026-04-27T17:48:44.593

Link: CVE-2026-41324

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-24T03:28:48Z

Links: CVE-2026-41324 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T07:00:09Z

Weaknesses