Apache Commons Net's FTP client trusts the host from PASV response by default
Description
Apache Commons Net FTP client prior to 3.9.0 trusts the host from the PASV response, allowing a malicious server to redirect traffic and leak information about the client's private network.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Commons Net FTP client prior to 3.9.0 trusts the host from the PASV response, allowing a malicious server to redirect traffic and leak information about the client's private network.
Root
Cause
CVE-2021-37533 is a vulnerability in Apache Commons Net's FTP client where, prior to version 3.9.0, the client blindly trusts the host address returned in the PASV response [1][3]. This allows a malicious FTP server to redirect the client to a different IP address.
Exploitation
An attacker must first convince the user to connect to a malicious FTP server. Once connected, the server can send a crafted PASV response with a host pointing to an internal or otherwise restricted network. The FTP client then attempts to connect to that host, potentially probing services [1][3].
Impact
Successful exploitation can lead to information leakage about services running on the client's private network. This is a form of FTP bounce scan or server-side request forgery (SSRF) within the FTP protocol context [1][3].
Mitigation
The issue is fixed in Apache Commons Net 3.9.0, where the default behavior is changed to ignore the host from the PASV response, aligning with curl's approach [4]. Users can restore the old behavior by setting the system property org.apache.commons.net.ftp.ipAddressFromPasvResponse to true or calling FTPClient#setIpAddressFromPasvResponse(true) [4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
commons-net:commons-netMaven | < 3.9.0 | 3.9.0 |
Affected products
5- osv-coords4 versionspkg:apk/chainguard/spark-3.5-scala-2.13pkg:apk/wolfi/spark-3.5-scala-2.13pkg:maven/commons-net/commons-netpkg:rpm/opensuse/apache-commons-net&distro=openSUSE%20Tumbleweed
< 3.5.7-r2+ 3 more
- (no CPE)range: < 3.5.7-r2
- (no CPE)range: < 3.5.7-r2
- (no CPE)range: < 3.9.0
- (no CPE)range: < 3.9.0-1.1
- Range: Apache Commons Net
Patches
14fe1bae56e53[NET-711] Add FTP option to toggle use of return host like CURL
1 file changed · +2 −2
src/changes/changes.xml+2 −2 modified@@ -74,8 +74,8 @@ The <action> type attribute can be add,update,fix,remove. <action type="fix" dev="ggregory" due-to="Arturo Bernal"> Use Math.min and Math.max method instead of manual calculations. #104. </action> - <action type="fix" dev="ggregory" due-to="Jochen Wiedmann, Gary Gregory"> - FTP client trusts the host from PASV response by default. + <action issue="NET-711" type="fix" dev="ggregory" due-to="Jochen Wiedmann, Gary Gregory"> + Add FTP option to toggle use of return host like CURL. </action> <!-- ADD --> <action type="add" dev="ggregory" due-to="Gary Gregory">
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-cgp8-4m63-fhh5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-37533ghsaADVISORY
- www.debian.org/security/2022/dsa-5307ghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2022/12/03/1ghsamailing-listWEB
- github.com/apache/commons-net/commit/4fe1bae56e53f32756b1ca3296f3dd2c45e3e060ghsaWEB
- issues.apache.org/jira/browse/NET-711ghsaWEB
- lists.apache.org/thread/o6yn9r9x6s94v97264hmgol1sf48mvx7ghsaWEB
- lists.debian.org/debian-lts-announce/2022/12/msg00038.htmlghsamailing-listWEB
News mentions
0No linked articles in our index yet.