Fluid Attacks Database

Description

basic-ftp is an FTP client for Node.js. Versions prior to 5.3.0 are vulnerable to denial of service through unbounded memory growth while processing directory listings from a remote FTP server. A malicious or compromised server can send an extremely large or never-ending listing response to Client.list(), causing the client process to consume memory until it becomes unstable or crashes. Version 5.3.0 fixes the issue.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	node-proxy-agents	=0~2024040606-6 \|\| =0~2025070717+~cs15.2.7-1 \|\| =0~2025070717-1 \|\| =0~2025070717-2 \|\| =0~2025070717-3 \|\| =0~2025070717-4 \|\| =0~2025070717-5 \|\| =0~2025070717-6 \|\| >=0 <0~2025070717+~cs15.3.7-1	0~2025070717+~cs15.3.7-1
debian 13	node-proxy-agents	=0~2024040606-6 \|\| =0~2024040606-6+deb13u1 \|\| =0~2025070717+~cs15.2.7-1 \|\| =0~2025070717+~cs15.3.7-1 \|\| =0~2025070717-1 \|\| =0~2025070717-2 \|\| =0~2025070717-3 \|\| =0~2025070717-4 \|\| =0~2025070717-5 \|\| =0~2025070717-6	-
rpm rhel10	rust	-	-
rpm rhel9	rust	-	-
npm	basic-ftp	>=0 <5.3.0	5.3.0

Aliases

1. CVE-2026-413242. NVD-2026-413243. OSV-DEBIAN-2026-413244. OSV-2026-413245. GHSA-rp42-5vxx-qpwr6. GCVE-2026-413247. SECURITY-TRACKER-CVE-2026-41324

References

1. https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-rp42-5vxx-qpwr

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.