ftp-srv is an npm package which is a modern and extensible FTP server designed to be simple yet configurable. In ftp-srv before versions 2.19.6, 3.1.2, and 4.3.4 are vulnerable to Server-Side Request Forgery. The PORT command allows arbitrary IPs which can be used to cause the server to make a connection elsewhere. A possible workaround is blocking the PORT through the configuration. This issue is fixed in version2 2.19.6, 3.1.2, and 4.3.4. More information can be found on the linked advisory.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| ftp-srv(npm) | 1.0.0 | 2.19.6 | N/A |
| ftp-srv(npm) | 3.0.0 | 3.1.2 | N/A |
| ftp-srv(npm) | 4.0.0 | 4.3.4 | N/A |
CVSS Metrics
