GHSA-rp42-5vxx-qpwr
Denial of Service vulnerability in basic-ftp (npm)

Denial of Service No known exploit

What is GHSA-rp42-5vxx-qpwr About?

This vulnerability in `basic-ftp@5.2.2` is a denial of service due to unbounded memory growth caused by processing oversized directory listings. A malicious or compromised FTP server can send an extremely large or never-ending listing, causing the client to consume all available memory and crash. This flaw is easy to exploit if a client connects to an untrusted FTP server and attempts to list its directory.

Affected Software

basic-ftp <5.3.0

Technical Details

The basic-ftp library, specifically version 5.2.2, is vulnerable to a denial-of-service attack. The Client.list() method eventually calls _requestListWithCommand, which uses a StringWriter to buffer the full directory listing response. The StringWriter class, in its _write method, repeatedly uses Buffer.concat([this.buf, chunk]) without any size limit or streaming parser. This means that if a malicious or compromised FTP server sends an excessively large or an endlessly streaming directory listing, the StringWriter.buf will grow indefinitely, consuming all available memory in the client process until it becomes unstable or crashes, leading to a denial of service. The attacker controls the response size, thus directly controlling the memory consumption.

What is the Impact of GHSA-rp42-5vxx-qpwr?

Successful exploitation may allow attackers to cause target applications or systems to exhaust their memory, leading to instability, crashes, and denial of service.

What is the Exploitability of GHSA-rp42-5vxx-qpwr?

Exploitation of this vulnerability requires the target application to connect to an attacker-controlled or compromised FTP server and invoke the Client.list() method. The attacker does not need any authentication or special privileges on the client side, only control over the FTP server response. The attack is remote, as it occurs over the network when the client attempts to retrieve a directory listing. The primary condition increasing exploitation likelihood is the client's connection to untrusted FTP endpoints, allowing a malicious server to send an arbitrarily large or infinite directory listing, triggering unbounded memory growth.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for GHSA-rp42-5vxx-qpwr?

Available Upgrade Options

  • basic-ftp
    • <5.3.0 → Upgrade to 5.3.0

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to GHSA-rp42-5vxx-qpwr?

Similar Vulnerabilities: CVE-2023-38035 , CVE-2023-38604 , CVE-2023-41042 , CVE-2024-21147 , GHSA-c6hm-c679-6g8x

All Rights reserved 2025
Privacy Policy