Vulnerability Description
In Pure-FTPd before 1.0.50, an incorrect max_filesize quota mechanism in the server allows attackers to upload files of unbounded size, which may lead to denial of service or a server hang. This occurs because a certain greater-than-zero test does not anticipate an initial -1 value. (Versions 1.0.23 through 1.0.49 are affected.)
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Pureftpd | Pure-Ftpd | >= 1.0.23, < 1.0.50 |
Related Weaknesses (CWE)
References
- https://github.com/jedisct1/pure-ftpd/commit/37ad222868e52271905b94afea4fc780d83PatchThird Party Advisory
- https://github.com/jedisct1/pure-ftpd/compare/1.0.49...1.0.50PatchThird Party Advisory
- https://github.com/jedisct1/pure-ftpd/pull/158ExploitThird Party Advisory
- https://github.com/jedisct1/pure-ftpd/commit/37ad222868e52271905b94afea4fc780d83PatchThird Party Advisory
- https://github.com/jedisct1/pure-ftpd/compare/1.0.49...1.0.50PatchThird Party Advisory
- https://github.com/jedisct1/pure-ftpd/pull/158ExploitThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2025/11/msg00003.html
FAQ
What is CVE-2021-40524?
CVE-2021-40524 is a vulnerability with a CVSS score of 7.5 (HIGH). In Pure-FTPd before 1.0.50, an incorrect max_filesize quota mechanism in the server allows attackers to upload files of unbounded size, which may lead to denial of service or a server hang. This occur...
How severe is CVE-2021-40524?
CVE-2021-40524 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-40524?
Check the references section above for vendor advisories and patch information. Affected products include: Pureftpd Pure-Ftpd.