Description
The ftpcp() function in Lib/ftplib.py was not updated when
CVE-2021-4189 was fixed. While makepasv() was patched to replace
server-supplied PASV host addresses with the actual peer address
(getpeername()[0]), ftpcp() still calls parse227() directly and passes
the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.
Published: 2026-05-13
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The ftpcp() routine in Python’s ftplib module accepts the host address provided in a server‑generated PASV response and uses it to open the data connection. Because the function does not verify that the address matches the control‑channel peer, an attacker who controls the FTP server can supply any IP and port in the PASV reply, leading the client to establish a TCP connection to that address. This behavior can expose internal services or allow the client to reach otherwise inaccessible networks, and it is classified as CWE‑918. It is inferred that the attacker must control the FTP server to supply a malicious PASV response.

Affected Systems

Any CPython installation that ships the unpatched ftplib module is potentially vulnerable. The advisory references the CPython project and its community pull request that introduced the fix, but no specific released version numbers are listed because the patch had yet to be merged into a released distribution at the time of the advisory.

Risk and Exploitability

The CVSS score of 5.9 denotes moderate severity. Exploitation requires a client to connect to an attacker‑controlled FTP server that sends a crafted PASV reply; no client‑side privileges or special network conditions are necessary. The EPSS score is unavailable, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited widespread exploitation. The likely attack vector involves an attacker hosting a malicious FTP server, connecting to the vulnerable Python client, and issuing a PASV response with a chosen IP and port so that the client initiates a connection to the attacker‑controlled destination.

Generated by OpenCVE AI on May 13, 2026 at 22:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a CPython distribution that includes the ftpcp patch (for example, Python releases issued after the community pull request was merged).
  • If an immediate upgrade is not possible, apply the community patch (PR 149648) that replaces the call to parse227() with a retrieval of the actual peer address via getpeername()[0] so that the data‑connection host is validated.
  • As a temporary measure, reconfigure ftplib to use active mode or wrap ftpcp() so that the PASV host field is ignored, preventing the client from connecting to attacker‑specified addresses.
  • Deploy outbound firewall rules or host‑based filtering to restrict connections initiated by the FTP client to only known trusted networks, blocking attempts to reach private or otherwise sensitive IP ranges.

Generated by OpenCVE AI on May 13, 2026 at 22:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Python
Python cpython
Vendors & Products Python
Python cpython

Wed, 13 May 2026 20:30:00 +0000

Type Values Removed Values Added
Description The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.
Title FTP PASV SSRF, ftpcp() does not use actual peer address, trusts server-supplied PASV host address
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 5.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Python Cpython
cve-icon MITRE

Status: PUBLISHED

Assigner: PSF

Published:

Updated: 2026-05-14T12:49:39.908Z

Reserved: 2026-05-11T15:06:00.859Z

Link: CVE-2026-8328

cve-icon Vulnrichment

Updated: 2026-05-14T12:49:23.200Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-13T21:16:50.167

Modified: 2026-05-14T16:21:23.190

Link: CVE-2026-8328

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T22:45:06Z

Weaknesses