CVE-2026-44240: basic-ftp Client-Side DoS Poses Risk to Node.js Applications
The National Vulnerability Database has detailed CVE-2026-44240, a high-severity client-side Denial of Service (DoS) vulnerability in basic-ftp, a popular Node.js FTP client. Prior to version 5.3.1, the client is susceptible to a resource exhaustion attack when parsing FTP control-channel multiline responses. A malicious or compromised FTP server can exploit this by sending an unterminated multiline response during the initial banner phase, even before authentication.
This flaw causes the basic-ftp client to continuously append attacker-controlled data to its _partialResponse buffer and repeatedly reparse the growing buffer without any size limits. The National Vulnerability Database warns that this leads to escalating memory and CPU consumption, effectively freezing the application during its connect() operation. The practical impact for applications using basic-ftp includes process-level DoS, container OOM kills, worker restarts, and service degradation, especially in systems that auto-connect to FTP endpoints.
This vulnerability, tracked under CWE-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling), highlights a critical risk for applications relying on basic-ftp for file transfers. The fix is available in version 5.3.1, and immediate patching is essential to mitigate the risk of attacker-induced service disruption.
What This Means For You
- If your Node.js applications use the `basic-ftp` library, you are vulnerable to client-side denial of service via a malicious FTP server. This isn't just a theoretical bug; it’s a direct path to application downtime and potential OOM kills. Identify all instances of `basic-ftp` in your environment and ensure they are patched to version 5.3.1 or later immediately. Failure to do so leaves a wide-open vector for an attacker to cripple your services by simply presenting a malformed FTP banner.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-44240: Node.js basic-ftp Client-Side DoS via Unterminated Multiline Response
title: CVE-2026-44240: Node.js basic-ftp Client-Side DoS via Unterminated Multiline Response
id: scw-2026-05-12-ai-1
status: experimental
level: high
description: |
Detects Node.js processes executing the basic-ftp library, which is vulnerable to a client-side DoS when parsing unterminated multiline FTP responses. This can lead to excessive memory and CPU consumption, causing service degradation or crashes. This rule specifically targets the execution of the basic-ftp module within a Node.js environment.
author: SCW Feed Engine (AI-generated)
date: 2026-05-12
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-44240/
tags:
- attack.impact
- attack.t1499
logsource:
category: process_creation
detection:
selection:
Image|contains:
- 'node.exe'
CommandLine|contains:
- 'basic-ftp'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-44240 | DoS | basic-ftp Node.js client prior to version 5.3.1 |
| CVE-2026-44240 | DoS | Vulnerable component: FTP control-channel multiline response parsing |
| CVE-2026-44240 | DoS | Attack vector: Unterminated multiline response during FTP banner phase |
| CVE-2026-44240 | DoS | Affected function: FtpContext._partialResponse accumulation and re-parsing |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 13, 2026 at 00:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-8449: Linux ksmbd Heap Corruption Allows Remote Kernel RCE
CVE-2026-8449 — Linux ksmbd contains a remote memory corruption vulnerability in the ACL inheritance path that allows remote clients with directory creation permissions to trigger...
Heym Sandbox Escape Vulnerability (CVE-2026-45227) Allows Arbitrary Host Commands
CVE-2026-45227 — Heym before 0.0.21 contains a sandbox escape vulnerability in the custom Python tool executor that allows authenticated workflow authors to bypass sandbox restrictions...
Heym Path Traversal (CVE-2026-45225) Allows Arbitrary File Writes
CVE-2026-45225 — Heym before 0.0.21 contains a path traversal vulnerability in the file upload endpoint that allows authenticated users to write attacker-controlled files to arbitrary...