Severity by source
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A weakness has been identified in bftpd up to 6.2. Impacted is the function expand_groups of the file options.c of the component Configuration File Handler. Executing a manipulation can lead to heap-based buffer overflow. It is possible to launch the attack on the local host. Attacks of this nature are highly complex. The exploitability is considered difficult. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Heap-based buffer overflow in bftpd up to version 6.2 within the expand_groups function of the configuration file handler allows local authenticated attackers to cause limited memory corruption with high attack complexity. Public exploit code is available, though the vulnerability requires local access and elevated privileges (PR:L), significantly limiting real-world exploitation potential compared to its CVSS score. The vendor did not respond to early disclosure.
Technical ContextAI
The vulnerability exists in the expand_groups function within options.c, a component responsible for parsing and processing configuration file directives in bftpd. The flaw is classified as CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), indicating the function fails to validate buffer boundaries when processing group expansion directives. This typically occurs when configuration parsing routines allocate fixed-size buffers on the heap without proper length checking, allowing crafted configuration entries to write beyond allocated memory. The local attack vector and high complexity suggest the exploit requires careful manipulation of configuration files and likely depends on specific memory layout conditions or race conditions.
Affected ProductsAI
bftpd versions up to and including 6.2 are affected. The vulnerable component is the expand_groups function within options.c of the configuration file handler. No CPE string was provided in references; affected installations would typically match cpe:*:*:bftpd:*:*:*:*:*:*. The vendor (bftpd maintainers) did not respond to disclosure, suggesting no official patch or patched version has been released.
RemediationAI
No vendor-released patch identified at time of analysis; the vendor did not respond to early disclosure. Immediate remediation is limited to environment-level controls: (1) Restrict local system access to trusted administrators only - this eliminates the PR:L prerequisite for exploitation. (2) Enforce strict file permissions on bftpd configuration files (e.g., 0600 or 0400) to prevent unauthorized modification by local accounts. (3) Disable or remove bftpd if it is not actively used; if FTP service is required, migrate to maintained alternatives such as vsftpd (actively patched) or Pure-FTPd. (4) If bftpd must remain in use, monitor configuration file modifications via file integrity monitoring (FIM) tools to detect tampering attempts. (5) Run bftpd in a sandboxed or containerized environment with minimal privileges and restricted filesystem access to limit blast radius of heap corruption. Note: Given the vendor's non-responsiveness and the vulnerability's age, long-term solution should prioritize migration away from bftpd to supported FTP daemons.
Same weakness CWE-119 – Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today