High severity7.5NVD Advisory· Published Apr 24, 2026· Updated Apr 27, 2026

CVE-2026-41324

Description

basic-ftp is an FTP client for Node.js. Versions prior to 5.3.0 are vulnerable to denial of service through unbounded memory growth while processing directory listings from a remote FTP server. A malicious or compromised server can send an extremely large or never-ending listing response to Client.list(), causing the client process to consume memory until it becomes unstable or crashes. Version 5.3.0 fixes the issue.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
basic-ftpnpm	< 5.3.0	5.3.0

Affected products

Patrickjuchli/Basic Ftp
cpe:2.3:a:patrickjuchli:basic-ftp:*:*:*:*:*:node.js:*:*
Range: <5.3.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-rp42-5vxx-qpwrnvdExploitMitigationVendor AdvisoryWEB
github.com/advisories/GHSA-rp42-5vxx-qpwrghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-41324ghsaADVISORY

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000