Vulnerability Description
basic-ftp is an FTP client for Node.js. Versions prior to 5.3.0 are vulnerable to denial of service through unbounded memory growth while processing directory listings from a remote FTP server. A malicious or compromised server can send an extremely large or never-ending listing response to `Client.list()`, causing the client process to consume memory until it becomes unstable or crashes. Version 5.3.0 fixes the issue.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Patrickjuchli | Basic-Ftp | < 5.3.0 |
Related Weaknesses (CWE)
References
- https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-rp42-5vxx-qpExploitMitigationVendor Advisory
- https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-rp42-5vxx-qpExploitMitigationVendor Advisory
FAQ
What is CVE-2026-41324?
CVE-2026-41324 is a vulnerability with a CVSS score of 7.5 (HIGH). basic-ftp is an FTP client for Node.js. Versions prior to 5.3.0 are vulnerable to denial of service through unbounded memory growth while processing directory listings from a remote FTP server. A mali...
How severe is CVE-2026-41324?
CVE-2026-41324 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-41324?
Check the references section above for vendor advisories and patch information. Affected products include: Patrickjuchli Basic-Ftp.