Node.js FTP Clients Exposed to DoS via Malicious Listings

The National Vulnerability Database (NVD) has disclosed CVE-2026-41324, a high-severity denial-of-service vulnerability affecting basic-ftp, a popular Node.js FTP client. Versions prior to 5.3.0 are susceptible to unbounded memory growth when processing directory listings from a remote FTP server. This isn’t just a theoretical flaw; a compromised or malicious server can exploit this by sending an excessively large or never-ending directory listing, forcing the client process to consume all available memory until it crashes or becomes unstable.

This vulnerability, with a CVSS score of 7.5 (HIGH), highlights a critical risk for any application relying on basic-ftp for client-side FTP operations. The attacker’s calculus is straightforward: disrupt operations with minimal effort. They don’t need to breach your perimeter; they just need to control the FTP server your client connects to, or compromise the network path to it. This can lead to significant operational downtime and resource exhaustion, impacting service availability and potentially cascading into broader system instability.

Defenders need to prioritize this. If your applications use basic-ftp, immediate action is required. The fix is available in version 5.3.0. This isn’t a ‘wait and see’ situation; it’s a direct path to service disruption if an external FTP endpoint is compromised or malicious. Patching is non-negotiable here.