Critical severity9.1NVD Advisory· Published Aug 17, 2020· Updated Jun 17, 2026
CVE-2020-15152
CVE-2020-15152
Description
ftp-srv is an npm package which is a modern and extensible FTP server designed to be simple yet configurable. In ftp-srv before versions 2.19.6, 3.1.2, and 4.3.4 are vulnerable to Server-Side Request Forgery. The PORT command allows arbitrary IPs which can be used to cause the server to make a connection elsewhere. A possible workaround is blocking the PORT through the configuration. This issue is fixed in version2 2.19.6, 3.1.2, and 4.3.4. More information can be found on the linked advisory.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ftp-srvnpm | >= 1.0.0, < 2.19.6 | 2.19.6 |
ftp-srvnpm | >= 3.0.0, < 3.1.2 | 3.1.2 |
ftp-srvnpm | >= 4.0.0, < 4.3.4 | 4.3.4 |
Affected products
2Patches
Vulnerability mechanics
References
8- github.com/autovance/ftp-srv/commit/e449e75219d918c400dec65b4b0759f60476abcanvdPatchThird Party AdvisoryWEB
- github.com/autovance/ftp-srv/security/advisories/GHSA-jw37-5gqr-cf9jnvdMitigationPatchThird Party AdvisoryWEB
- github.com/advisories/GHSA-jw37-5gqr-cf9jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-15152ghsaADVISORY
- www.npmjs.com/package/ftp-srvnvdProductThird Party AdvisoryWEB
- github.com/autovance/ftp-srv/commit/5508c2346cf23b24c20070ff2e8a47c647d3d5b5ghsaWEB
- github.com/autovance/ftp-srv/commit/fb32b012c3baf48ee804e1dc36544cbba70b00d3ghsaWEB
- www.npmjs.com/advisories/1445ghsaWEB
News mentions
0No linked articles in our index yet.