EXECUTIVE SUMMARY:
CVE-2026-44240 with a CVSS score of 7.5 is a high-severity vulnerability in the basic-ftp package, specifically impacting versions less than or equal to 5.3.0. The vulnerability allows a malicious FTP server to cause a client-side denial of service via unbounded multiline control response buffering. A malicious or compromised FTP server can send an unterminated multiline response during the initial FTP banner phase, before authentication, causing the client to repeatedly reparses a growing attacker-controlled buffer, resulting in memory growth and increasing parsing work, potentially leading to process-level denial of service, container OOM kills, worker restarts, queue backlog, or service degradation in applications that automatically connect to FTP endpoints. An attacker can exploit this vulnerability without authenticating to the victim system or possessing valid FTP credentials, as the attack occurs automatically when an application using basic-ftp connects to a malicious or compromised FTP server, and no additional user interaction is required after the application initiates a normal FTP connection. The business impact and consequences of exploitation include potential process-level denial of service, container OOM kills, worker restarts, queue backlog, or service degradation in applications that automatically connect to FTP endpoints, with prerequisites or conditions required for exploitation including the presence of a malicious or compromised FTP server and an application using basic-ftp that connects to the FTP server.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-44240 with a CVSS score of 7.5 is a high-severity vulnerability in the basic-ftp package, specifically impacting versions less than or equal to 5.3.0. The vulnerability allows a malicious FTP server to cause a client-side denial of service via unbounded multiline control response buffering. A malicious or compromised FTP server can send an unterminated multiline response during the initial FTP banner phase, before authentication, causing the client to repeatedly reparses a growing attacker-controlled buffer, resulting in memory growth and increasing parsing work, potentially leading to process-level denial of service, container OOM kills, worker restarts, queue backlog, or service degradation in applications that automatically connect to FTP endpoints. An attacker can exploit this vulnerability without authenticating to the victim system or possessing valid FTP credentials, as the attack occurs automatically when an application using basic-ftp connects to a malicious or compromised FTP server, and no additional user interaction is required after the application initiates a normal FTP connection. The business impact and consequences of exploitation include potential process-level denial of service, container OOM kills, worker restarts, queue backlog, or service degradation in applications that automatically connect to FTP endpoints, with prerequisites or conditions required for exploitation including the presence of a malicious or compromised FTP server and an application using basic-ftp that connects to the FTP server.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update basic-ftp to version 5.3.1.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-rpmf-866q-6p89