Summary
[email protected] is vulnerable to denial of service through unbounded memory growth while processing directory listings from a remote FTP server. A malicious or compromised server can send an extremely large or never-ending listing response to Client.list(), causing the client process to consume memory until it becomes unstable or crashes.
Details
The issue is in the package's default directory listing flow.
Client.list() reaches dist/Client.js, where the full listing response is downloaded into a StringWriter before parsing:
File: dist/Client.js:516-527
async _requestListWithCommand(command) {
const buffer = new StringWriter_1.StringWriter();
await (0, transfer_1.downloadTo)(buffer, {
ftp: this.ftp,
tracker: this._progressTracker,
command,
remotePath: "",
type: "list"
});
const text = buffer.getText(this.ftp.encoding);
this.ftp.log(text);
return this.parseList(text);
}
The vulnerable sink is StringWriter, which grows an in-memory Buffer with no limit:
File: dist/StringWriter.js:5-20
class StringWriter extends stream_1.Writable {
constructor() {
super(...arguments);
this.buf = Buffer.alloc(0);
}
_write(chunk, _, callback) {
if (chunk instanceof Buffer) {
this.buf = Buffer.concat([this.buf, chunk]);
callback(null);
}
else {
callback(new Error("StringWriter expects chunks of type 'Buffer'."));
}
}
getText(encoding) {
return this.buf.toString(encoding);
}
}
The critical operation is:
this.buf = Buffer.concat([this.buf, chunk]);
There is no maximum size check, no truncation, and no streaming parser. Because the remote FTP server controls the listing response, it can force the client to keep allocating memory until the process is terminated.
How it happens:
- An application connects to an attacker-controlled or compromised FTP server.
- The application calls
client.list(). - The server returns an extremely large or unbounded directory listing.
basic-ftpbuffers the full response inStringWriter.- Memory grows without bound due to repeated
Buffer.concat(...)calls.
PoC
The following PoC exercises the vulnerable buffering primitive directly:
const { StringWriter } = require("basic-ftp/dist/StringWriter.js");
function mb(n) {
return Math.round(n / 1024 / 1024) + "MB";
}
const writer = new StringWriter();
let wrote = 0;
for (let i = 0; i < 32; i++) {
const chunk = Buffer.alloc(4 * 1024 * 1024, 0x41);
writer.write(chunk);
wrote += chunk.length;
if ((i + 1) % 8 === 0) {
const m = process.memoryUsage();
console.log("written", mb(wrote), "rss", mb(m.rss), "heap", mb(m.heapUsed), "buf", mb(m.arrayBuffers));
}
}
console.log("final text len", writer.getText("utf8").length);
Observed output:
written 32MB rss 116MB heap 4MB buf 64MB
written 64MB rss 296MB heap 4MB buf 240MB
written 96MB rss 340MB heap 3MB buf 284MB
written 128MB rss 436MB heap 3MB buf 376MB
final text len 134217728
This demonstrates sustained memory growth in the same code path used to buffer directory listing data.
Supporting files saved alongside this report:
poc.jspoc_output.txt
Impact
This is a denial-of-service vulnerability affecting applications that use basic-ftp to list directories from remote FTP servers.
- Vulnerability class: Memory exhaustion / Denial of Service
- Attack precondition: The victim connects to a malicious or compromised FTP server and performs
Client.list() - Impacted users: Any application or service using
[email protected]against untrusted FTP endpoints - Security effect: The attacker can cause excessive memory consumption, process instability, and potential process termination
Recommended remediation:
- Enforce a maximum listing size.
- Abort transfers that exceed the configured limit.
- Prefer incremental or streaming parsing over full-response buffering.
Example defensive check:
if (this.buf.length + chunk.length > MAX_LISTING_BYTES) {
callback(new Error("FTP listing exceeds maximum allowed size."));
return;
}
this.buf = Buffer.concat([this.buf, chunk]);
Crafted input forces the application to consume excessive CPU, memory, or other resources, degrading or denying service. Typical impact: denial of service.
CVE-2026-41324 has a CVSS score of 7.5 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (5.3.0); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-41324? CVE-2026-41324 is a high-severity uncontrolled resource consumption vulnerability in basic-ftp (npm), affecting versions <= 5.2.2. It is fixed in 5.3.0. Crafted input forces the application to consume excessive CPU, memory, or other resources, degrading or denying service.
- How severe is CVE-2026-41324? CVE-2026-41324 has a CVSS score of 7.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of basic-ftp are affected by CVE-2026-41324? basic-ftp (npm) versions <= 5.2.2 is affected.
- Is there a fix for CVE-2026-41324? Yes. CVE-2026-41324 is fixed in 5.3.0. Upgrade to this version or later.
- Is CVE-2026-41324 exploitable, and should I be worried? Whether CVE-2026-41324 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-41324 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-41324? Upgrade
basic-ftpto 5.3.0 or later.