{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/basic-ftp--5.3.0/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["basic-ftp (\u003c= 5.3.0)"],"_cs_severities":["medium"],"_cs_tags":["dos","ftp","denial-of-service","client-side"],"_cs_type":"advisory","_cs_vendors":["patrickjuchli"],"content_html":"\u003cp\u003eThe \u003ccode\u003ebasic-ftp\u003c/code\u003e library, versions 5.3.0 and earlier, is susceptible to a client-side denial-of-service (DoS) attack. A malicious or compromised FTP server can exploit this vulnerability by sending an unterminated multiline response during the initial FTP banner exchange. This occurs before authentication, allowing the attacker to control the data being buffered by the client. The vulnerable client continuously appends attacker-controlled data to \u003ccode\u003eFtpContext._partialResponse\u003c/code\u003e and repeatedly reparses the growing buffer without enforcing a maximum size limit. This can lead to excessive memory consumption and CPU usage on the client-side, ultimately resulting in process-level DoS, container OOM kills, worker restarts, queue backlogs, or service degradation in applications that rely on automated FTP connections. The vulnerability was reported in May 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA victim application initiates an FTP connection to a server using the \u003ccode\u003ebasic-ftp\u003c/code\u003e library.\u003c/li\u003e\n\u003cli\u003eThe attacker, controlling the FTP server, sends an initial FTP banner that starts a multiline response (e.g., \u0026ldquo;220-malicious banner starts\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eThe attacker intentionally omits the terminating line of the multiline response (e.g., \u0026ldquo;220 ready\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ebasic-ftp\u003c/code\u003e library\u0026rsquo;s \u003ccode\u003e_onControlSocketData\u003c/code\u003e function receives the initial chunk of data.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e_onControlSocketData\u003c/code\u003e function concatenates the received chunk with the existing \u003ccode\u003e_partialResponse\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eparseControlResponse\u003c/code\u003e function parses the complete response, identifies it as an incomplete multiline response, and returns the entire accumulated data as \u003ccode\u003erest\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e_partialResponse\u003c/code\u003e is updated with the \u003ccode\u003erest\u003c/code\u003e value, storing the unterminated multiline data.\u003c/li\u003e\n\u003cli\u003eThe process repeats indefinitely with each new chunk of data, causing the \u003ccode\u003e_partialResponse\u003c/code\u003e to grow without bound, leading to memory exhaustion and DoS.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can result in significant disruptions to applications that utilize the \u003ccode\u003ebasic-ftp\u003c/code\u003e library. Observed damage includes Node.js process memory exhaustion, container OOM kills, worker crashes or restart loops, event loop CPU pressure due to repeated parsing, stuck FTP jobs, queue backlogs in scheduled import/export systems, and degraded availability of services relying on automated FTP ingestion. This can affect a wide range of applications including SaaS applications, backend jobs, document ingestion pipelines, legacy integrations, and build/deployment pipelines.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the provided Sigma rule \u003ccode\u003eDetect Basic-ftp Unbounded Buffer DoS\u003c/code\u003e to detect connections to FTP servers sending excessive data before authentication.\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of \u003ccode\u003ebasic-ftp\u003c/code\u003e that includes a maximum control response buffer size to address CVE-2026-44240.\u003c/li\u003e\n\u003cli\u003eConfigure network monitoring to detect unusually large FTP banner responses based on the \u003ccode\u003enetwork_connection\u003c/code\u003e log source, which may indicate a malicious FTP server.\u003c/li\u003e\n\u003cli\u003eImplement application-level monitoring to track the memory usage of Node.js processes using \u003ccode\u003ebasic-ftp\u003c/code\u003e to identify potential memory exhaustion issues.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"/briefs/2024-01-basic-ftp-dos/","summary":"The basic-ftp library is vulnerable to a client-side denial of service. A malicious FTP server can send an unterminated multiline response during the initial FTP banner phase, before authentication, causing the client to buffer attacker-controlled data without limit.","title":"basic-ftp Client-Side Denial of Service via Malicious FTP Server","url":"https://feed.craftedsignal.io/briefs/2024-01-basic-ftp-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Basic-Ftp (\u003c= 5.3.0)","version":"https://jsonfeed.org/version/1.1"}