{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-44240","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2026-05-05T15:42:40.519Z","datePublished":"2026-05-12T20:37:43.098Z","dateUpdated":"2026-05-12T20:37:43.098Z"},"containers":{"cna":{"title":"basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering","problemTypes":[{"descriptions":[{"cweId":"CWE-400","lang":"en","description":"CWE-400: Uncontrolled Resource Consumption","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-770","lang":"en","description":"CWE-770: Allocation of Resources Without Limits or Throttling","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}}],"references":[{"name":"https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-rpmf-866q-6p89","tags":["x_refsource_CONFIRM"],"url":"https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-rpmf-866q-6p89"}],"affected":[{"vendor":"patrickjuchli","product":"basic-ftp","versions":[{"version":"< 5.3.1","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2026-05-12T20:37:43.098Z"},"descriptions":[{"lang":"en","value":"basic-ftp is an FTP client for Node.js. Prior to 5.3.1, basic-ftp is vulnerable to client-side denial of service when parsing FTP control-channel multiline responses. A malicious or compromised FTP server can send an unterminated multiline response during the initial FTP banner phase, before authentication. The client keeps appending attacker-controlled data into FtpContext._partialResponse and repeatedly reparses the accumulated buffer without enforcing a maximum control response size. As a result, an application using basic-ftp can remain stuck in connect() while memory and CPU usage grow under attacker-controlled input. This can lead to process-level denial of service, container OOM kills, worker restarts, queue backlog, or service degradation in applications that automatically connect to FTP endpoints. This vulnerability is fixed in 5.3.1."}],"source":{"advisory":"GHSA-rpmf-866q-6p89","discovery":"UNKNOWN"}}}}