GHSA-rp42-5vxx-qpwr: basic-ftp vulnerable to denial of service via unbounded memory consumption in Client.list()

April 16, 2026

basic-ftp@5.2.2 is vulnerable to denial of service through unbounded memory growth while processing directory listings from a remote FTP server. A malicious or compromised server can send an extremely large or never-ending listing response to Client.list(), causing the client process to consume memory until it becomes unstable or crashes.

References

github.com/advisories/GHSA-rp42-5vxx-qpwr
github.com/patrickjuchli/basic-ftp
github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-rp42-5vxx-qpwr

Code Behaviors & Features

Detect and mitigate GHSA-rp42-5vxx-qpwr with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →