Description
basic-ftp is an FTP client for Node.js. Prior to 5.3.1, basic-ftp is vulnerable to client-side denial of service when parsing FTP control-channel multiline responses. A malicious or compromised FTP server can send an unterminated multiline response during the initial FTP banner phase, before authentication. The client keeps appending attacker-controlled data into FtpContext._partialResponse and repeatedly reparses the accumulated buffer without enforcing a maximum control response size. As a result, an application using basic-ftp can remain stuck in connect() while memory and CPU usage grow under attacker-controlled input. This can lead to process-level denial of service, container OOM kills, worker restarts, queue backlog, or service degradation in applications that automatically connect to FTP endpoints. This vulnerability is fixed in 5.3.1.
Published: 2026-05-12
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

basic‑ftp, a Node.js FTP client, fails to limit the size of multiline responses received from an FTP server. A malicious or compromised server can transmit an unterminated multiline reply during the initial banner phase, causing the client to keep appending data to its internal buffer and repeatedly reparsing it without any size check. This leads to unchecked memory and CPU consumption, eventually exhausting process resources. The vulnerability is classified under CWE‑400 (Resource Exhaustion) and CWE‑770 (Memory Leak).

Affected Systems

The affected product is basic‑ftp version 5.3.0 and earlier, maintained by patrickjuchli. Systems that use this library to automatically connect to external FTP endpoints are at risk.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity; however, no EPSS score is currently available, and the issue is not listed in CISA KEV. Attackers can exploit the flaw remotely by simply acting as an FTP server during the banner phase, which typically requires no special privileges. In practice, this can cause process‑level denial of service, container OOM kills, worker restarts, queue backlogs, or general service degradation in applications that rely on basic‑ftp.

Generated by OpenCVE AI on May 12, 2026 at 22:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade basic‑ftp to version 5.3.1 or later, which introduces a maximum control response size check.
  • If an immediate upgrade is not possible, place the FTP client behind a firewall or proxy that limits connection timeouts and disconnects sessions that consume excessive memory.
  • Add application‑level monitoring to detect stalled FTP connections and automatically restart or retry the connection to mitigate service degradation.

Generated by OpenCVE AI on May 12, 2026 at 22:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rpmf-866q-6p89 basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering
History

Thu, 14 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Patrickjuchli
Patrickjuchli basic-ftp
Vendors & Products Patrickjuchli
Patrickjuchli basic-ftp

Tue, 12 May 2026 21:00:00 +0000

Type Values Removed Values Added
Description basic-ftp is an FTP client for Node.js. Prior to 5.3.1, basic-ftp is vulnerable to client-side denial of service when parsing FTP control-channel multiline responses. A malicious or compromised FTP server can send an unterminated multiline response during the initial FTP banner phase, before authentication. The client keeps appending attacker-controlled data into FtpContext._partialResponse and repeatedly reparses the accumulated buffer without enforcing a maximum control response size. As a result, an application using basic-ftp can remain stuck in connect() while memory and CPU usage grow under attacker-controlled input. This can lead to process-level denial of service, container OOM kills, worker restarts, queue backlog, or service degradation in applications that automatically connect to FTP endpoints. This vulnerability is fixed in 5.3.1.
Title basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering
Weaknesses CWE-400
CWE-770
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Patrickjuchli Basic-ftp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T12:31:57.807Z

Reserved: 2026-05-05T15:42:40.519Z

Link: CVE-2026-44240

cve-icon Vulnrichment

Updated: 2026-05-14T12:31:49.163Z

cve-icon NVD

Status : Deferred

Published: 2026-05-12T21:16:16.410

Modified: 2026-05-14T13:16:19.250

Link: CVE-2026-44240

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T00:30:28Z

Weaknesses