MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXI0bTUtNDdjcS02cWc4

High

Permalink JSON

Server-Side Request Forgery in ftp-srv

Affected Packages	Affected Versions	Fixed Versions
npm:ftp-srv PURL: `pkg:npm/ftp-srv`	>= 4.0.0, < 4.3.4, >= 3.0.0, < 3.1.2, >= 1.0.0, < 2.19.6	4.3.4, 3.1.2, 2.19.6
53 Dependent packages 102 Dependent repositories 24,397 Downloads last month Affected Version Ranges All affected versions 1.0.0, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.2.0, 2.2.1, 2.3.0, 2.3.1, 2.4.0, 2.5.0, 2.6.0, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.8.0, 2.9.0, 2.9.1, 2.9.2, 2.10.0, 2.10.1, 2.11.0, 2.11.1, 2.11.2, 2.11.3, 2.11.4, 2.12.0, 2.13.0, 2.13.1, 2.13.2, 2.13.3, 2.14.0, 2.15.0, 2.16.0, 2.16.1, 2.16.2, 2.17.0, 2.18.0, 2.19.0, 2.19.1, 2.19.2, 2.19.3, 2.19.4, 2.19.5, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.1.0, 3.1.1, 4.0.0, 4.0.1, 4.1.0, 4.1.1, 4.2.0, 4.3.0, 4.3.1, 4.3.2, 4.3.3 All unaffected versions 0.0.0, 2.19.6, 3.1.2, 4.3.4, 4.4.0, 4.5.0, 4.6.0, 4.6.1, 4.6.2, 4.6.3

All versions of ftp-srv from v1.0.0 onward to v4.3.3 are vulnerable to Server-Side Request Forgery (SSRF). The package fails to prevent remote clients to access other resources in the network, for example when connecting to the server through telnet. This allows attackers to access any network resources available to the server, including private resources in the hosting environment.

Recommendation

Upgrade to patched versions
^2.19.6, ^3.1.2, ^4.3.4

Workarounds

Blacklisting the FTP Command PORT will prevent the server from exposing this behaviour through active connections until a fix is applied.

const ftp = new FtpSrv({
  blacklist: ['PORT']
});

References:

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXI0bTUtNDdjcS02cWc4

Server-Side Request Forgery in ftp-srv

Affected Version Ranges

All affected versions

All unaffected versions

Recommendation

Workarounds

Identifiers

Risk

Severity

Classification

Source

Origin

Repository

Date and time

Published

Updated

API