VulnerableCode Package Details - pkg:npm/basic-ftp@5.3.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-35wn-ny8a-wkdv Aliases: CVE-2026-44240 GHSA-rpmf-866q-6p89	basic-ftp is an FTP client for Node.js. Prior to 5.3.1, basic-ftp is vulnerable to client-side denial of service when parsing FTP control-channel multiline responses. A malicious or compromised FTP server can send an unterminated multiline response during the initial FTP banner phase, before authentication. The client keeps appending attacker-controlled data into FtpContext._partialResponse and repeatedly reparses the accumulated buffer without enforcing a maximum control response size. As a result, an application using basic-ftp can remain stuck in connect() while memory and CPU usage grow under attacker-controlled input. This can lead to process-level denial of service, container OOM kills, worker restarts, queue backlog, or service degradation in applications that automatically connect to FTP endpoints. This vulnerability is fixed in 5.3.1.	5.3.1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-35wn-ny8a-wkdv
Aliases:
CVE-2026-44240
GHSA-rpmf-866q-6p89

basic-ftp is an FTP client for Node.js. Prior to 5.3.1, basic-ftp is vulnerable to client-side denial of service when parsing FTP control-channel multiline responses. A malicious or compromised FTP server can send an unterminated multiline response during the initial FTP banner phase, before authentication. The client keeps appending attacker-controlled data into FtpContext._partialResponse and repeatedly reparses the accumulated buffer without enforcing a maximum control response size. As a result, an application using basic-ftp can remain stuck in connect() while memory and CPU usage grow under attacker-controlled input. This can lead to process-level denial of service, container OOM kills, worker restarts, queue backlog, or service degradation in applications that automatically connect to FTP endpoints. This vulnerability is fixed in 5.3.1.

5.3.1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-peec-p93p-2ych	basic-ftp: basic-ftp: Denial of Service via unbounded memory growth from malicious directory listings	CVE-2026-41324 GHSA-rp42-5vxx-qpwr

Vulnerability

Summary

Aliases

VCID-peec-p93p-2ych

basic-ftp: basic-ftp: Denial of Service via unbounded memory growth from malicious directory listings

CVE-2026-41324
GHSA-rp42-5vxx-qpwr

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-07T20:54:57.217562+00:00	GHSA Importer	Affected by	VCID-35wn-ny8a-wkdv	https://github.com/advisories/GHSA-rpmf-866q-6p89	38.6.0
2026-06-07T20:53:49.192327+00:00	GHSA Importer	Fixing	VCID-peec-p93p-2ych	https://github.com/advisories/GHSA-rp42-5vxx-qpwr	38.6.0
2026-06-06T08:29:43.273311+00:00	GitLab Importer	Affected by	VCID-35wn-ny8a-wkdv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/basic-ftp/CVE-2026-44240.yml	38.6.0
2026-06-06T08:09:47.970693+00:00	GitLab Importer	Fixing	VCID-peec-p93p-2ych	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/basic-ftp/CVE-2026-41324.yml	38.6.0
2026-06-06T08:06:23.617844+00:00	GitLab Importer	Fixing	VCID-peec-p93p-2ych	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/basic-ftp/GHSA-rp42-5vxx-qpwr.yml	38.6.0
2026-06-04T16:52:59.015069+00:00	GithubOSV Importer	Fixing	VCID-peec-p93p-2ych	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-rp42-5vxx-qpwr/GHSA-rp42-5vxx-qpwr.json	38.6.0