Cyber Resilience

CVE-2023-22551

HighPublic PoC

Published: 01 January 2023

Published
01 January 2023
Modified
07 April 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0917 92.9th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-22551 is a high-severity an unspecified weakness vulnerability in Ftp Project Ftp. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 7.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The vulnerability is a memory leak in the FTP project, an implementation of a simple FTP client and server, through commit 96c1a35. The root cause is use of malloc without corresponding free calls during client connection handling, which can be triggered remotely to exhaust system memory and produce a denial of service.

Unauthenticated remote attackers can exploit the flaw simply by establishing and then terminating FTP connections, repeatedly triggering allocation without release. The CVSS 7.5 score reflects network attack vector, low complexity, and high impact on availability with no requirements for privileges or user interaction.

The two references point to the same GitHub issue tracker entry; neither advisory text nor patch details are supplied in the available references. The associated EPSS score has remained flat at 0.0917 with no material increase after disclosure.

EU & UK References

Vulnerability details

The FTP (aka "Implementation of a simple FTP client and server") project through 96c1a35 allows remote attackers to cause a denial of service (memory consumption) by engaging in client activity, such as establishing and then terminating a connection. This occurs…

more

because malloc is used but free is not.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ftp project
ftp
≤ 2012-03-28

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References