CVE-2026-41324: CWE-400: Uncontrolled Resource Consumption in patrickjuchli basic-ftp
basic-ftp versions prior to 5. 3. 0 contain a vulnerability where processing directory listings from a remote FTP server can lead to unbounded memory growth. A malicious or compromised FTP server can send an extremely large or never-ending directory listing response to the Client. list() method, causing the client to consume excessive memory and potentially crash or become unstable. This denial of service vulnerability is fixed in version 5. 3. 0.
AI Analysis
Technical Summary
The vulnerability CVE-2026-41324 affects the basic-ftp Node.js FTP client in versions before 5.3.0. It arises from uncontrolled resource consumption (CWE-400) due to unbounded memory growth when processing directory listings from a remote FTP server. Specifically, a malicious or compromised server can send an extremely large or infinite listing response to the Client.list() function, causing the client process to consume memory until it crashes or becomes unstable. This results in a denial of service condition. The issue is resolved in basic-ftp version 5.3.0.
Potential Impact
An attacker controlling or compromising an FTP server can cause a denial of service on clients using vulnerable versions of basic-ftp by sending large or never-ending directory listing responses. This leads to excessive memory consumption on the client side, potentially crashing the client process or making it unstable. There is no impact on confidentiality or integrity reported, only availability is affected.
Mitigation Recommendations
Upgrade basic-ftp to version 5.3.0 or later, where this vulnerability is fixed. There is no official vendor advisory provided, but the description explicitly states that version 5.3.0 addresses the issue. Patch status is confirmed by the version upgrade requirement. No additional mitigations are indicated.
CVE-2026-41324: CWE-400: Uncontrolled Resource Consumption in patrickjuchli basic-ftp
Description
basic-ftp versions prior to 5. 3. 0 contain a vulnerability where processing directory listings from a remote FTP server can lead to unbounded memory growth. A malicious or compromised FTP server can send an extremely large or never-ending directory listing response to the Client. list() method, causing the client to consume excessive memory and potentially crash or become unstable. This denial of service vulnerability is fixed in version 5. 3. 0.
CVSS v3.1
Score 7.5high
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability CVE-2026-41324 affects the basic-ftp Node.js FTP client in versions before 5.3.0. It arises from uncontrolled resource consumption (CWE-400) due to unbounded memory growth when processing directory listings from a remote FTP server. Specifically, a malicious or compromised server can send an extremely large or infinite listing response to the Client.list() function, causing the client process to consume memory until it crashes or becomes unstable. This results in a denial of service condition. The issue is resolved in basic-ftp version 5.3.0.
Potential Impact
An attacker controlling or compromising an FTP server can cause a denial of service on clients using vulnerable versions of basic-ftp by sending large or never-ending directory listing responses. This leads to excessive memory consumption on the client side, potentially crashing the client process or making it unstable. There is no impact on confidentiality or integrity reported, only availability is affected.
Mitigation Recommendations
Upgrade basic-ftp to version 5.3.0 or later, where this vulnerability is fixed. There is no official vendor advisory provided, but the description explicitly states that version 5.3.0 addresses the issue. Patch status is confirmed by the version upgrade requirement. No additional mitigations are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-20T14:01:46.672Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69eaec2d87115cfb68c0d93d
Added to database: 4/24/2026, 4:06:05 AM
Last enriched: 5/1/2026, 8:42:00 PM
Last updated: 6/9/2026, 3:25:11 PM
Views: 82
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.