Skip to main content

basic-ftp CVE-2026-44240

HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-05-06 https://github.com/patrickjuchli/basic-ftp GHSA-rpmf-866q-6p89
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
May 06, 2026 - 20:00 vuln.today
Analysis Generated
May 06, 2026 - 20:00 vuln.today
CVE Published
May 06, 2026 - 19:37 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 24,655 npm packages depend on basic-ftp (859 direct, 23,805 indirect)

Ecosystem-wide dependent count for version 5.3.1.

DescriptionGitHub Advisory

Summary

basic-ftp is vulnerable to client-side denial of service when parsing FTP control-channel multiline responses.

A malicious or compromised FTP server can send an unterminated multiline response during the initial FTP banner phase, before authentication. The client keeps appending attacker-controlled data into FtpContext._partialResponse and repeatedly reparses the accumulated buffer without enforcing a maximum control response size.

As a result, an application using basic-ftp can remain stuck in connect() while memory and CPU usage grow under attacker-controlled input. This can lead to process-level denial of service, container OOM kills, worker restarts, queue backlog, or service degradation in applications that automatically connect to FTP endpoints.

---

Details

Root cause

The root cause is that incomplete FTP multiline control responses are buffered without an upper bound.

FtpContext stores incomplete control-channel data in _partialResponse:

https://github.com/patrickjuchli/basic-ftp/blob/50827c73ca6c1d786c97276e47be8a33d0f2277d/src/FtpContext.ts#L63-L64

Incoming control-channel data is handled in _onControlSocketData. The implementation concatenates the previous incomplete response with the new chunk, parses the entire accumulated string, and stores parsed.rest back into _partialResponse:

https://github.com/patrickjuchli/basic-ftp/blob/50827c73ca6c1d786c97276e47be8a33d0f2277d/src/FtpContext.ts#L328-L340

The relevant flow is:

completeResponse = this._partialResponse + chunk parsed = parseControlResponse(completeResponse) this._partialResponse = parsed.rest

There is no maximum size check before concatenating, before parsing, or before storing parsed.rest.

The parser accepts incomplete multiline responses and returns the entire unterminated multiline group as rest:

https://github.com/patrickjuchli/basic-ftp/blob/50827c73ca6c1d786c97276e47be8a33d0f2277d/src/parseControlResponse.ts#L15-L43

If a server starts a multiline FTP response:

220-malicious banner starts

but never sends the terminating line:

220 ready

then parseControlResponse() treats the accumulated multiline data as incomplete and returns it as rest.

Because _onControlSocketData() feeds _partialResponse + chunk back into the parser on every new data event, the client repeatedly reparses a growing attacker-controlled buffer. This creates both memory growth and increasing parsing work.

Why this is security-relevant

The vulnerable component is a client library. The attacker does not need to authenticate to the victim system and does not need valid FTP credentials.

The attack occurs automatically when an application using basic-ftp connects to a malicious or compromised FTP server. The malicious response is sent as the FTP server banner before login. No additional user interaction is required after the application initiates a normal FTP connection.

This is realistic for applications that use FTP for:

  • scheduled imports or exports
  • customer-provided FTP endpoints
  • backup or synchronization jobs
  • CI/CD artifact mirroring
  • document ingestion pipelines
  • legacy business integrations

In those environments, one malicious or compromised FTP endpoint can cause the Node.js process using basic-ftp to consume excessive memory and CPU or remain stuck in a pending connection state.

---

Proof of Concept

The PoC uses a local malicious FTP server that accepts a victim connection and sends an unterminated multiline FTP banner. The banner starts with 220-, but the server never sends the required terminating 220 line.

Reproduction steps

From the root of the basic-ftp project:

bash
npm ci
npm run buildOnly

poc_control_parser_direct.js

bash
CHUNKS=1000 node poc_control_parser_direct.js | tee poc-results/parser_direct_1000.log

parser_direct_1000.log

Run the end-to-end malicious FTP server PoC:

poc_control_multiline_dos.js

bash
CHUNK_SIZE=8192 CHUNKS=1000 DELAY_MS=1 node poc_control_multiline_dos.js | tee poc-results/control_multiline_dos_1000.log

control_multiline_dos_1000.log

Observed result: parser-only PoC

text
[basic-ftp parseControlResponse incomplete multiline DoS]
Input fed: 7.81 MiB
Retained rest: 7.81 MiB
Initial rss/heap: 54.77 MiB 3.69 MiB
Final   rss/heap: 141.64 MiB 80.77 MiB

This shows that parseControlResponse() retained the full unterminated multiline response as rest.

The retained buffer grew to 7.81 MiB. Heap usage increased from 3.69 MiB to 80.77 MiB, and RSS increased from 54.77 MiB to 141.64 MiB.

Observed result: end-to-end malicious FTP server PoC

text
[server] listening on 127.0.0.1:34429
[server] victim connected
[progress] chunks=850 sent=6.6 MiB partialResponse=6.6 MiB heapUsed=227.5 MiB rss=292.4 MiB
[progress] chunks=900 sent=7.0 MiB partialResponse=7.0 MiB heapUsed=213.1 MiB rss=278.0 MiB
[final-before-close] chunks=1000 sent=7.8 MiB partialResponse=7.8 MiB heapUsed=82.1 MiB rss=146.8 MiB
[result] client connect() is still pending because the multiline response never terminated

Only 7.8 MiB of malicious control-channel data was sent. The client retained 7.8 MiB in _partialResponse, showed large memory spikes, and remained pending inside connect() because the multiline response was never terminated.

---

Expected behavior

The client should enforce a maximum size for incomplete FTP control responses. If the accumulated multiline response exceeds a safe limit, the client should close the connection and reject the active task with an error.

The client should not allow a remote FTP server to make _partialResponse grow without bound.

---

Actual behavior

A malicious FTP server can keep the client in a pending connection state by sending an unterminated multiline control response. basic-ftp continues buffering and reparsing the accumulated data without a maximum response size.

---

Impact

A malicious or compromised FTP server can cause denial of service in applications using basic-ftp.

Possible real-world impact includes:

  • Node.js process memory exhaustion
  • container OOM kill
  • worker crash or restart loop
  • event loop CPU pressure due to repeated reparsing
  • stuck FTP jobs
  • queue backlog in scheduled import/export systems
  • degraded availability of services relying on automated FTP ingestion

---

Threat model

The attacker controls, compromises, or can impersonate an FTP server that a victim application connects to.

Examples:

  1. A SaaS application allows customers to configure external FTP endpoints for automated imports.
  2. A backend job periodically pulls files from partner FTP servers.
  3. A document ingestion pipeline connects to FTP endpoints supplied by external users.
  4. A legacy integration uses FTP for scheduled synchronization.
  5. A build or deployment pipeline mirrors artifacts from an FTP server.

In each case, the victim application initiates a normal FTP connection. The malicious server sends an unterminated multiline banner before authentication. The vulnerable client then buffers and reparses the response indefinitely.

No FTP credentials are required for exploitation because the attack happens before login.

---

Suggested fix

Introduce a maximum control response buffer size, especially for incomplete multiline responses.

Recommended changes:

  • Add a maxControlResponseBytes or maxControlResponseLength limit.
  • Enforce the limit before or immediately after appending new control-channel data.
  • Close the connection and reject the active task when the limit is exceeded.
  • Add regression tests for unterminated multiline responses.

Example defensive logic:

text
if (completeResponse.length > maxControlResponseLength) {
    closeWithError(new Error("FTP control response exceeded maximum allowed size"))
}

A regression test should verify that a response beginning with 220- and never terminating with 220 is rejected after the configured size limit instead of being retained indefinitely.

---

Suggested regression test scenario

A test server should:

  1. Accept a client connection.
  2. Send an FTP multiline response opener such as 220-malicious banner\r\n.
  3. Continue sending additional lines without ever sending the terminating 220 line.
  4. Verify that the client rejects the connection once the configured response-size limit is exceeded.
  5. Verify that _partialResponse does not grow without bound.

AnalysisAI

Remote unauthenticated attackers can trigger memory exhaustion and process-level denial of service in Node.js applications using basic-ftp by sending unterminated FTP multiline control responses during initial connection. The vulnerability occurs in the client library when connecting to malicious or compromised FTP servers, causing unbounded buffer growth in _partialResponse with repeated CPU-intensive reparsing. This affects automated FTP integrations for scheduled imports, customer-provided endpoints, backup jobs, and CI/CD pipelines. Publicly available exploit code exists per GitHub security advisory GHSA-rpmf-866q-6p89. CVSS 7.5 HIGH with network attack vector, low complexity, and no authentication required confirms practical remote exploitation risk.

Technical ContextAI

The vulnerability exists in basic-ftp's FTP control-channel protocol parser implementation. The FtpContext class stores incomplete multiline FTP responses in _partialResponse without size limits. When processing control-channel data in _onControlSocketData(), the code concatenates previous partial data with new chunks (completeResponse = this._partialResponse + chunk), invokes parseControlResponse() on the accumulated buffer, and stores the unparsed remainder back into _partialResponse. The parseControlResponse() function treats unterminated multiline responses (starting with '220-' but never receiving the terminating '220 ' line) as incomplete and returns the entire accumulated data as 'rest'. This creates a cycle where each new data event triggers reparsing of a monotonically growing attacker-controlled buffer. The root cause maps to CWE-400 (Uncontrolled Resource Consumption) due to the absence of maximum control response buffer size enforcement. The FTP protocol uses multiline responses for banners and status messages, with lines beginning with numeric codes followed by '-' for continuation and ' ' for termination, making incomplete responses a natural protocol-level attack vector.

RemediationAI

Upgrade basic-ftp to version 5.3.1 or later, which introduces maximum control response buffer size limits to prevent unbounded memory growth. Update package.json dependency and run npm install or equivalent package manager command. Verify the fix with npm list basic-ftp to confirm version 5.3.1+ is installed. For applications that cannot immediately upgrade, implement application-level FTP connection timeouts (shorter than default) to limit exposure duration and add resource monitoring with automatic restart policies to detect and recover from memory exhaustion conditions. Consider implementing FTP server allowlisting to restrict connections only to trusted infrastructure, though this reduces flexibility in customer-facing or partner integration scenarios. Deploy connection-level resource limits in containerized environments (memory limits, CPU quotas) to prevent single DoS from cascading to other services, accepting that this creates a trade-off with legitimate high-volume FTP transfer capacity. Network-level controls are ineffective because the attack uses valid FTP protocol syntax over legitimate connections. Compensating controls provide only partial mitigation-upgrade to patched version is the definitive solution per vendor advisory at https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-rpmf-866q-6p89.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Share

CVE-2026-44240 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy