basic-ftp Client-Side Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in basic-ftp, an FTP client for Node.js, prior to version 5.3.1. The issue arises when the client parses multiline responses from an FTP server during the initial connection phase, before authentication. A malicious or compromised server can send an unterminated multiline response, which the client then buffers without limit. This unbounded buffering can lead to increased memory and CPU usage, causing the application to become unresponsive. Such behavior can disrupt services that rely on automated FTP connections, potentially leading to process-level denials of service or service degradation.

Impact

Exploitation of this vulnerability can cause significant memory and CPU exhaustion in Node.js processes, leading to process-level denials of service. In containerized environments, this can trigger out-of-memory kills. The vulnerability can also cause worker crashes or restarts, create backlogs in processing queues, and degrade the availability of services that automatically connect to FTP endpoints.

Reproduction

The vulnerability can be reproduced by setting up a local malicious FTP server that sends an unterminated multiline response as an FTP banner. When a client using basic-ftp connects to this server, the library will buffer the incomplete response in a way that can be exploited to consume excessive memory and CPU resources, all while the connection remains pending.

Remediation

Users can upgrade to basic-ftp version 5.3.1 or later, where this vulnerability has been fixed.