Denial of Service Vulnerability in basic-ftp FTP Client for Node.js
CVE-2026-44240

7.5HIGH

Key Information:

Vendor: Patrickjuchli
Status: Basic-ftp
Vendor: CVE Published:; 12 May 2026

🔔 Create Patrickjuchli Vulnerability Alert

What is CVE-2026-44240?

The basic-ftp library, a popular FTP client for Node.js, is susceptible to a denial of service attack due to improper handling of multiline responses from FTP servers prior to version 5.3.1. An attacker could exploit this vulnerability by sending an unterminated response during the initial connection phase. This results in the application attempting to reparse an ever-growing buffer filled with malicious data, causing excessive memory consumption, increased CPU usage, and potential service degradation. Applications that rely on basic-ftp for handling FTP connections may experience significant operational disruptions, such as process hang-ups or crashes, particularly in environments where reliable FTP connectivity is critical. The vulnerability has been addressed in version 5.3.1.

Affected Version(s)

basic-ftp < 5.3.1

References

https://github.com/patrickjuchli/basic-ftp/security/advis...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
May 5, 2026

CVE-2026-44240 Data

JSON