Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXI0bTUtNDdjcS02cWc4
Server-Side Request Forgery in ftp-srv
All versions of ftp-srv
from v1.0.0 onward to v4.3.3 are vulnerable to Server-Side Request Forgery (SSRF). The package fails to prevent remote clients to access other resources in the network, for example when connecting to the server through telnet. This allows attackers to access any network resources available to the server, including private resources in the hosting environment.
Recommendation
Upgrade to patched versions
^2.19.6, ^3.1.2, ^4.3.4
Workarounds
Blacklisting the FTP Command PORT will prevent the server from exposing this behaviour through active connections until a fix is applied.
const ftp = new FtpSrv({
blacklist: ['PORT']
});
Permalink: https://github.com/advisories/GHSA-r4m5-47cq-6qg8JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXI0bTUtNDdjcS02cWc4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 3 years ago
Updated: 4 months ago
Identifiers: GHSA-r4m5-47cq-6qg8
References:
- https://www.npmjs.com/advisories/1445
- https://github.com/QuorumDMS/ftp-srv/security/advisories/GHSA-jw37-5gqr-cf9j
- https://github.com/advisories/GHSA-r4m5-47cq-6qg8
Blast Radius: 0.0
Affected Packages
npm:ftp-srv
Dependent packages: 53Dependent repositories: 102
Downloads: 20,088 last month
Affected Version Ranges: >= 4.0.0, < 4.3.4, >= 3.0.0, < 3.1.2, >= 1.0.0, < 2.19.6
Fixed in: 4.3.4, 3.1.2, 2.19.6
All affected versions: 1.0.0, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.2.0, 2.2.1, 2.3.0, 2.3.1, 2.4.0, 2.5.0, 2.6.0, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.8.0, 2.9.0, 2.9.1, 2.9.2, 2.10.0, 2.10.1, 2.11.0, 2.11.1, 2.11.2, 2.11.3, 2.11.4, 2.12.0, 2.13.0, 2.13.1, 2.13.2, 2.13.3, 2.14.0, 2.15.0, 2.16.0, 2.16.1, 2.16.2, 2.17.0, 2.18.0, 2.19.0, 2.19.1, 2.19.2, 2.19.3, 2.19.4, 2.19.5, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.1.0, 3.1.1, 4.0.0, 4.0.1, 4.1.0, 4.1.1, 4.2.0, 4.3.0, 4.3.1, 4.3.2, 4.3.3
All unaffected versions: 0.0.0, 2.19.6, 3.1.2, 4.3.4, 4.4.0, 4.5.0, 4.6.0, 4.6.1, 4.6.2, 4.6.3