basic-ftp EUVD-2026-25390

| CVE-2026-41324 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-04-24 GitHub_M GHSA-rp42-5vxx-qpwr
Node.js Denial Of Service Redhat
7.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Re-analysis Queued
Apr 24, 2026 - 14:52 vuln.today
cvss_changed
Patch available
Apr 24, 2026 - 05:31 EUVD
Analysis Generated
Apr 24, 2026 - 04:30 vuln.today

DescriptionNVD

basic-ftp is an FTP client for Node.js. Versions prior to 5.3.0 are vulnerable to denial of service through unbounded memory growth while processing directory listings from a remote FTP server. A malicious or compromised server can send an extremely large or never-ending listing response to Client.list(), causing the client process to consume memory until it becomes unstable or crashes. Version 5.3.0 fixes the issue.

AnalysisAI

Denial of service in basic-ftp for Node.js allows remote malicious FTP servers to crash client applications via unbounded memory consumption during directory listing operations. Attackers controlling or compromising an FTP server can send infinite or extremely large listing responses to Client.list() calls, exhausting client memory until process termination. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Inventory all Node.js applications using basic-ftp library and document current versions in use. Within 7 days: Implement network-level FTP traffic filtering to restrict connections to trusted, internal FTP servers only; add memory limits and timeouts to FTP client operations where possible. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

More from same product – last 7 days

CVE-2026-6920 CRITICAL
9.6 Apr 23

Out of bounds read in GPU in Google Chrome on Android prior to 147.0.7727.117 allowed a remote attacker who had compromi
CVE-2026-6919 CRITICAL
9.6 Apr 23

Use after free in DevTools in Google Chrome prior to 147.0.7727.117 allowed a remote attacker who had compromised the re
CVE-2026-41246 HIGH
8.1 Apr 23

Contour is a Kubernetes ingress controller using Envoy proxy. From v1.19.0 to before v1.33.4, v1.32.5, and v1.31.6, Cont
CVE-2026-41205 HIGH
7.7 Apr 23

Mako is a template library written in Python. Prior to 1.3.11, TemplateLookup.get_template() is vulnerable to path trave
CVE-2026-3006 HIGH
7.0 Apr 27

A race condition in WinFsp enables local privilege escalation to SYSTEM through kernel heap overflow. Authenticated loca

Vendor StatusVendor

Share

EUVD-2026-25390 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy