CVE-2026-41324
Published: 24 April 2026
Summary
CVE-2026-41324 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Patrickjuchli Basic-Ftp. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 17.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely flaw remediation, directly mitigating CVE-2026-41324 by mandating upgrades to basic-ftp version 5.3.0 or later to impose bounds on directory listing processing.
SC-5 implements denial-of-service protections, such as resource limits and traffic filtering, to prevent unbounded memory growth from malicious FTP directory listings.
SC-6 restricts resource allocation to processes, directly countering memory exhaustion attacks triggered by large or endless FTP server responses in basic-ftp.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables remote DoS via resource exhaustion (unbounded memory allocation) when client processes malicious FTP directory listing response from attacker-controlled server, directly matching application/system exploitation for endpoint denial of service.
NVD Description
basic-ftp is an FTP client for Node.js. Versions prior to 5.3.0 are vulnerable to denial of service through unbounded memory growth while processing directory listings from a remote FTP server. A malicious or compromised server can send an extremely large…
more
or never-ending listing response to `Client.list()`, causing the client process to consume memory until it becomes unstable or crashes. Version 5.3.0 fixes the issue.
Deeper analysisAI
CVE-2026-41324 affects the basic-ftp FTP client library for Node.js in versions prior to 5.3.0. The vulnerability enables a denial-of-service condition through unbounded memory growth when processing directory listings received from a remote FTP server. Specifically, the `Client.list()` method fails to impose limits on response sizes, allowing excessive memory allocation that leads to process instability or crashes. The issue is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling).
Any attacker controlling a malicious or compromised FTP server can exploit this vulnerability remotely without authentication or user interaction. By sending an extremely large or never-ending directory listing response during a `Client.list()` operation, the attacker triggers continuous memory consumption in the client application, potentially causing it to exhaust available resources and crash. This impacts the availability of Node.js applications that use basic-ftp to connect to untrusted FTP servers.
The GitHub security advisory (GHSA-rp42-5vxx-qpwr) confirms that version 5.3.0 of basic-ftp resolves the issue by implementing appropriate bounds on directory listing processing. Security practitioners should upgrade affected applications to this version or later and review dependencies for basic-ftp usage, particularly in scenarios involving connections to external or untrusted FTP servers.
Details
- CWE(s)