Overview
CVE-2026-44240 describes a client-side denial of service in the Node.js FTP client library basic-ftp prior to 5.3.1. During the FTP control-channel banner phase, a compromised or malicious FTP server can send an unterminated multiline response. The client appends attacker-controlled data into FtpContext._partialResponse and reparses the accumulated buffer without enforcing a maximum control response size. This can cause an application to hang in connect() with memory and CPU usage climbing, potentially triggering container OOM kills, worker restarts, or degraded service in applications that automatically connect to FTP endpoints. This class of issue maps to CWE-400 and CWE-770 (Resource Exhaustion/Allocation of Resources Without Limits).
In real-world exploitation, an attacker hosting a rogue FTP server can deliberately send malformed multiline responses to flood the client’s parser. Since the vulnerability is in the client-side parsing logic, any Node.js application using basic-ftp to connect to external FTP servers is at risk, regardless of whether the app directly exposes FTP endpoints to users. The impact is an unrecoverable DoS at the application layer, not a compromise of the FTP server itself.
For Node.js/Express apps, this manifests when your server code uses basic-ftp to upload or download files as part of routes, scheduled jobs, or background workers. If the app connects to an untrusted FTP endpoint, a crafted server can cause the client to consume unbounded memory/CPU, leading to latency, timeouts, and potential crashes under attack. Remediation starts with upgrading to a patched library version and adopting defensive practices around external FTP usage.
Remediation involves upgrading to basic-ftp 5.3.1+ and adopting mitigations such as restricting FTP endpoints to trusted servers, preferring secure transports where possible (e.g., SFTP/FTPS or HTTP APIs), and applying runtime guards (timeouts, error handling, and resource monitoring) to FTP operations.
Affected Versions
basic-ftp < 5.3.1
Code Fix Example
Node.js (Express) API Security Remediation
const ftp = require('basic-ftp');
// Vulnerable pattern (basic-ftp < 5.3.1): unbounded response handling may lead to DoS when talking to a malicious FTP server
async function vulnerablePatternExample() {
// Vulnerable: using an older basic-ftp version with no bounds on control responses
const client = new ftp.Client();
try {
await client.access({ host: 'ftp.example.com', user: 'anonymous', password: 'guest' });
const list = await client.list('/');
console.log(list);
} catch (err) {
console.error('FTP error (vulnerable)', err);
} finally {
client.close();
}
}
// Fixed pattern (basic-ftp >= 5.3.1) with a client-side timeout wrapper to bound operation duration
async function fixedPatternExample() {
// Fixed: upgrade to basic-ftp >= 5.3.1 and optionally add a client-side timeout for safety
const client = new ftp.Client();
const timeoutMs = 10000;
try {
const accessPromise = client.access({ host: 'ftp.example.com', user: 'anonymous', password: 'guest' });
const timed = Promise.race([
accessPromise,
new Promise((_, reject) => setTimeout(() => reject(new Error('FTP connect timeout')), timeoutMs))
]);
await timed;
const list = await client.list('/');
console.log(list);
} catch (err) {
console.error('FTP error (fixed)', err);
} finally {
client.close();
}
}
// Example invocation (ensure you are using basic-ftp >= 5.3.1)
// vulnerablePatternExample();
// fixedPatternExample();