Resource Exhaustion Affecting kibana-9.4 package, versions <9.4.1-r0


Severity

Recommended
low

Based on default assessment until relevant scores are available.

Threat Intelligence

EPSS
0.46% (37th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-CHAINGUARDLATEST-KIBANA94-16698209
  • published15 May 2026
  • disclosed12 May 2026

Introduced: 12 May 2026

CVE-2026-44240  (opens in a new tab)
CWE-400  (opens in a new tab)
CWE-770  (opens in a new tab)

How to fix?

Upgrade Chainguard kibana-9.4 to version 9.4.1-r0 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream kibana-9.4 package and not the kibana-9.4 package as distributed by Chainguard. See How to fix? for Chainguard relevant fixed versions and status.

basic-ftp is an FTP client for Node.js. Prior to 5.3.1, basic-ftp is vulnerable to client-side denial of service when parsing FTP control-channel multiline responses. A malicious or compromised FTP server can send an unterminated multiline response during the initial FTP banner phase, before authentication. The client keeps appending attacker-controlled data into FtpContext._partialResponse and repeatedly reparses the accumulated buffer without enforcing a maximum control response size. As a result, an application using basic-ftp can remain stuck in connect() while memory and CPU usage grow under attacker-controlled input. This can lead to process-level denial of service, container OOM kills, worker restarts, queue backlog, or service degradation in applications that automatically connect to FTP endpoints. This vulnerability is fixed in 5.3.1.