basic-ftp Denial-of-Service Vulnerability via Unbounded Memory Growth in Directory Listing Processing

A denial-of-service vulnerability has been identified in basic-ftp, an FTP client for Node.js, affecting versions through 5.2.2. The issue arises from unbounded memory consumption while handling directory listings from remote FTP servers. A malicious or compromised server can send excessively large or infinite listing responses to the Client.list() method. This causes the client process to use memory continuously, leading to instability or a crash. The vulnerability is rooted in the default directory listing handling, where the entire response is buffered in memory without limits, allowing for excessive memory allocation until the process is terminated.

Impact

Exploitation of this vulnerability causes excessive memory usage, process instability, and potential termination of the client process.

Reproduction

To reproduce this vulnerability, connect to a malicious or compromised FTP server using basic-ftp version 5.2.2. Call the Client.list() method, which will trigger the unbounded memory growth as the server sends a large or never-ending directory listing. The memory consumption can be observed increasing without limit, demonstrating the denial-of-service condition.

Remediation

Users can upgrade to basic-ftp version 5.3.0, which addresses this vulnerability. For those unable to upgrade, it is recommended to enforce a maximum size for directory listings, abort transfers that exceed this limit, and prefer incremental or streaming parsing methods instead of full-response buffering.