# CVE-2026-41324

> Vulnerability · severity: **HIGH** (CVSS 7.5).

## Description

basic-ftp is an FTP client for Node.js. Versions prior to 5.3.0 are vulnerable to denial of service through unbounded memory growth while processing directory listings from a remote FTP server. A malicious or compromised server can send an extremely large or never-ending listing response to `Client.list()`, causing the client process to consume memory until it becomes unstable or crashes. Version 5.3.0 fixes the issue.

## Key facts

- **CVE ID:** CVE-2026-41324
- **Published:** 2026-04-24
- **CVSS severity:** HIGH
- **CVSS base score:** 7.5
- **CWE codes:** CWE-400, CWE-770

## Affected products

- `patrickjuchli:basic-ftp`

## Primary sources

- NIST NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-41324

## Citation

> AI Analytics. CVE-2026-41324. Retrieved 2026-07-15 from https://api.ai-analytics.org/cve/CVE-2026-41324. Derived from NIST NVD. Licensed CC0.

---

*[Dataset catalog](https://api.ai-analytics.org/datasets/) · [AI Analytics](https://api.ai-analytics.org/) · CC0 1.0*