CVE-2026-44240

Name of the Vulnerable Software and Affected Versions basic-ftp versions 0.0.1 through 5.3.0

Description A client-side denial of service exists when parsing FTP control-channel multiline responses. A malicious or compromised FTP server can send an unterminated multiline response during the initial banner phase before authentication. The client continuously appends this data into the partialResponse variable within the FtpContext and repeatedly reparses the buffer without enforcing a maximum size limit. This occurs because the onControlSocketData function concatenates new chunks with previous incomplete responses and feeds them back into the parseControlResponse() function.

This can lead to excessive memory and CPU consumption, causing the application to remain stuck in the connect() function. Potential impacts include process-level denial of service, container Out-Of-Memory (OOM) kills, worker restarts, and service degradation for applications that automatically connect to FTP endpoints, such as those used for scheduled imports, backup jobs, or document ingestion pipelines.

Recommendations Update to version 5.3.1. As a temporary workaround, restrict the application from connecting to untrusted or customer-provided FTP endpoints until the update is applied.