GMS-2020-1101: Server-Side Request Forgery in ftp-srv

September 4, 2020 (updated January 8, 2024)

All versions of ftp-srv is vulnerable to Server-Side Request Forgery (SSRF). The package fails to prevent remote clients to access other resources in the network, for example when connecting to the server through telnet. This allows attackers to access any network resources available to the server, including private resources in the hosting environment.

Recommendation

No fix is currently available. Consider using an alternative package until a fix is made available.

References

github.com/advisories/GHSA-r4m5-47cq-6qg8
www.npmjs.com/advisories/1445

Code Behaviors & Features

Detect and mitigate GMS-2020-1101 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →