Unrestricted Resource Consumption

Unrestricted Resource Consumption in Node.js (Express) [CVE-2026-41324]

[Updated August 2026] Updated CVE-2026-41324

Overview

Exploits CVE-2026-41324 show unbounded memory growth in basic-ftp before 5.3.0 when processing large FTP directory listings in Node.js (Express) apps. This vulnerability occurs when a remote FTP server sends an extremely large or endless listing, causing the client to buffer the entire listing in memory and potentially exhaust the process memory, leading to DoS. It maps to CWE-400 (Uncontrolled Resource Consumption) and CWE-770 (Insufficient Resource Management). In real-world Express services that fetch remote directories to drive business logic or file handling, an attacker controlling the FTP server can trigger memory pressure, affecting availability and stability of the Node.js process. Upgrading to the fixed version mitigates the issue by ensuring listings are not processed in an unbounded manner and enabling safer defaults for memory usage during listing operations.

Affected Versions

basic-ftp < 5.3.0

Code Fix Example

Node.js (Express) API Security Remediation 
/* Vulnerable pattern: loads all directory listings into memory, potentially unbounded */
const ftp = require('basic-ftp');
async function vulnerableListing(host, user, pass, remotePath) {
  const client = new ftp.Client();
  try {
    await client.access({ host, user, password: pass, secure: true });
    const listing = await client.list(remotePath);
    for (const item of listing) {
      console.log(item.name);
    }
  } catch (err) {
    console.error(err);
  } finally {
    client.close();
  }
}

/* Fixed pattern: upgrade library and cap listing size to prevent memory exhaustion */
async function secureListing(host, user, pass, remotePath) {
  const MAX_ITEMS = 1000;
  const client = new ftp.Client();
  try {
    await client.access({ host, user: user, password: pass, secure: true });
    const listing = await client.list(remotePath);
    if (listing.length > MAX_ITEMS) {
      throw new Error(`Directory listing too large: ${listing.length} items`);
    }
    for (const item of listing) {
      console.log(item.name);
    }
  } catch (err) {
    console.error(err);
  } finally {
    client.close();
  }
}

// Ensure dependency is updated: npm install [email protected]

CVE References

More Node.js (Express) API Security Remediation Guides

View all →

Manage cookie preferences

Choose which optional cookies to allow. You can change this any time.