AIKIDO-2026-10643
basic-ftp is vulnerable to Denial of Service (DoS)
75
High Risk
This Affects:
basic-ftpTL;DR
The FTP client parses control-channel text into completed responses while retaining incomplete multiline groups in an internal string buffer. A server can start a multiline banner such as a 220- continuation line and never send the terminating status line, so each socket chunk is appended to that buffer and the full accumulated text is parsed again without an enforced upper bound. Memory and parsing work therefore grow with attacker-supplied control traffic while connect() may never finish. The patch caps how large an incomplete control response may grow and fails the connection when exceeded instead of buffering without limit.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
basic-ftp is vulnerable to Denial of Service (DoS) in versions 0.0.1 - 5.3.0.
How to fix this
Upgrade the basic-ftp library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant