Server-side Request Forgery (SSRF) Affecting ftp-srv package, versions >=4.0.0 <4.3.4>=3.1.0 <3.1.2<2.19.6


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Server-side Request Forgery (SSRF) vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JS-FTPSRV-597159
  • published2 Aug 2020
  • disclosed20 May 2020
  • creditVincent

Introduced: 20 May 2020

CVE NOT AVAILABLE CWE-918  (opens in a new tab)

How to fix?

Upgrade ftp-srv to version 4.3.4, 3.1.2, 2.19.6 or higher.

Overview

ftp-srv is a Modern, extensible FTP Server

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF). It fails to prevent remote clients to access other resources in the network, for example when connecting to the server through telnet. This allows attackers to access any network resources available to the server, including private resources in the hosting environment.

CVSS Scores

version 3.1