chore(deps): update dependency get-uri>basic-ftp to v5.3.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
get-uri>basic-ftp	=5.2.2 → =5.3.0

---

basic-ftp vulnerable to denial of service via unbounded memory consumption in Client.list()

GHSA-rp42-5vxx-qpwr

More information

Details

Summary

[email protected] is vulnerable to denial of service through unbounded memory growth while processing directory listings from a remote FTP server. A malicious or compromised server can send an extremely large or never-ending listing response to Client.list(), causing the client process to consume memory until it becomes unstable or crashes.

Details

The issue is in the package's default directory listing flow.

Client.list() reaches dist/Client.js, where the full listing response is downloaded into a StringWriter before parsing:

File: dist/Client.js:516-527

async _requestListWithCommand(command) {
    const buffer = new StringWriter_1.StringWriter();
    await (0, transfer_1.downloadTo)(buffer, {
        ftp: this.ftp,
        tracker: this._progressTracker,
        command,
        remotePath: "",
        type: "list"
    });
    const text = buffer.getText(this.ftp.encoding);
    this.ftp.log(text);
    return this.parseList(text);
}

The vulnerable sink is StringWriter, which grows an in-memory Buffer with no limit:

File: dist/StringWriter.js:5-20

class StringWriter extends stream_1.Writable {
    constructor() {
        super(...arguments);
        this.buf = Buffer.alloc(0);
    }
    _write(chunk, _, callback) {
        if (chunk instanceof Buffer) {
            this.buf = Buffer.concat([this.buf, chunk]);
            callback(null);
        }
        else {
            callback(new Error("StringWriter expects chunks of type 'Buffer'."));
        }
    }
    getText(encoding) {
        return this.buf.toString(encoding);
    }
}

The critical operation is:

this.buf = Buffer.concat([this.buf, chunk]);

There is no maximum size check, no truncation, and no streaming parser. Because the remote FTP server controls the listing response, it can force the client to keep allocating memory until the process is terminated.

How it happens:

1. An application connects to an attacker-controlled or compromised FTP server.
2. The application calls client.list().
3. The server returns an extremely large or unbounded directory listing.
4. basic-ftp buffers the full response in StringWriter.
5. Memory grows without bound due to repeated Buffer.concat(...) calls.

PoC

The following PoC exercises the vulnerable buffering primitive directly:

const { StringWriter } = require("basic-ftp/dist/StringWriter.js");

function mb(n) {
  return Math.round(n / 1024 / 1024) + "MB";
}

const writer = new StringWriter();
let wrote = 0;

for (let i = 0; i < 32; i++) {
  const chunk = Buffer.alloc(4 * 1024 * 1024, 0x41);
  writer.write(chunk);
  wrote += chunk.length;

  if ((i + 1) % 8 === 0) {
    const m = process.memoryUsage();
    console.log("written", mb(wrote), "rss", mb(m.rss), "heap", mb(m.heapUsed), "buf", mb(m.arrayBuffers));
  }
}

console.log("final text len", writer.getText("utf8").length);

Observed output:

written 32MB rss 116MB heap 4MB buf 64MB
written 64MB rss 296MB heap 4MB buf 240MB
written 96MB rss 340MB heap 3MB buf 284MB
written 128MB rss 436MB heap 3MB buf 376MB
final text len 134217728

This demonstrates sustained memory growth in the same code path used to buffer directory listing data.

Supporting files saved alongside this report:

• poc.js
• poc_output.txt

Impact

This is a denial-of-service vulnerability affecting applications that use basic-ftp to list directories from remote FTP servers.

• Vulnerability class: Memory exhaustion / Denial of Service
• Attack precondition: The victim connects to a malicious or compromised FTP server and performs Client.list()
• Impacted users: Any application or service using [email protected] against untrusted FTP endpoints
• Security effect: The attacker can cause excessive memory consumption, process instability, and potential process termination

Recommended remediation:

1. Enforce a maximum listing size.
2. Abort transfers that exceed the configured limit.
3. Prefer incremental or streaming parsing over full-response buffering.

Example defensive check:

if (this.buf.length + chunk.length > MAX_LISTING_BYTES) {
    callback(new Error("FTP listing exceeds maximum allowed size."));
    return;
}
this.buf = Buffer.concat([this.buf, chunk]);

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-rp42-5vxx-qpwr
• https://github.com/advisories/GHSA-rp42-5vxx-qpwr

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

patrickjuchli/basic-ftp (get-uri>basic-ftp)

v5.3.0

Compare Source

• Changed: Introduced an upper bound for total bytes of directory listing, fixes GHSA-rp42-5vxx-qpwr.
• Added: Option to increase the upper bound for total bytes of directory listing in Client constructor.

---

Configuration

📅 Schedule: (in timezone America/Los_Angeles)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

Scope: all 97 workspace projects
Progress: resolved 1, reused 0, downloaded 0, added 0
examples/ui-prompting-examples           |  WARN  deprecated @types/[email protected]
Progress: resolved 48, reused 0, downloaded 0, added 0
Progress: resolved 104, reused 0, downloaded 0, added 0
packages/axios-extension                 |  WARN  deprecated @xmldom/[email protected]
/tmp/renovate/repos/github/SAP/open-ux-tools/packages/backend-proxy-middleware-cf:
 ERR_PNPM_UNSUPPORTED_ENGINE  Unsupported environment (bad pnpm and/or Node.js version)

This error happened while installing a direct dependency of /tmp/renovate/repos/github/SAP/open-ux-tools/packages/backend-proxy-middleware-cf

Your Node version is incompatible with "@sap/[email protected]".

Expected version: ^20.0.0 || ^22.0.0
Got: v24.15.0

This is happening because the package's manifest has an engines.node field specified.
To fix this issue, install the required Node version.

[changeset-bot]

⚠️ No Changeset found

Latest commit: f672949

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR