CVE-2026-44240— basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering

basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering

basic-ftp is an FTP client for Node.js. Prior to 5.3.1, basic-ftp is vulnerable to client-side denial of service when parsing FTP control-channel multiline responses. A malicious or compromised FTP server can send an unterminated multiline response during the initial FTP banner phase, before authentication. The client keeps appending attacker-controlled data into FtpContext._partialResponse and repeatedly reparses the accumulated buffer without enforcing a maximum control response size. As a result, an application using basic-ftp can remain stuck in connect() while memory and CPU usage grow under attacker-controlled input. This can lead to process-level denial of service, container OOM kills, worker restarts, queue backlog, or service degradation in applications that automatically connect to FTP endpoints. This vulnerability is fixed in 5.3.1.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

未加控制的资源消耗(资源穷尽)

Basic FTP 资源管理错误漏洞

Basic FTP是Patrick Juchli个人开发者的一个Node.js的FTP客户端库。 Basic FTP 5.3.1之前版本存在资源管理错误漏洞，该漏洞源于解析FTP控制通道多行响应时未限制控制响应大小，可能导致客户端拒绝服务。

N/A

N/A