CVE-2020-15152
CRITICALftp-srv <2.19.6/3.1.2/4.3.4 - Server-Side Request Forgery via PORT Command
Title source: manualDescription
ftp-srv is an npm package which is a modern and extensible FTP server designed to be simple yet configurable. In ftp-srv before versions 2.19.6, 3.1.2, and 4.3.4 are vulnerable to Server-Side Request Forgery. The PORT command allows arbitrary IPs which can be used to cause the server to make a connection elsewhere. A possible workaround is blocking the PORT through the configuration. This issue is fixed in version2 2.19.6, 3.1.2, and 4.3.4. More information can be found on the linked advisory.
References (3)
Core 3
Core References
Mitigation, Patch, Third Party Advisory x_refsource_confirm
https://github.com/autovance/ftp-srv/security/advisories/GHSA-jw37-5gqr-cf9j
Patch, Third Party Advisory x_refsource_misc
https://github.com/autovance/ftp-srv/commit/e449e75219d918c400dec65b4b0759f60476abca
Product, Third Party Advisory x_refsource_misc
https://www.npmjs.com/package/ftp-srv
Scores
CVSS v3
9.1
EPSS
0.0186
EPSS Percentile
76.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Details
CWE
CWE-918
Status
published
Products (2)
ftp-srv_project/ftp-srv
< 2.19.6
npm/ftp-srv
1.0.0 - 2.19.6npm
Published
Aug 17, 2020
Tracked Since
Feb 18, 2026