Platform
nodejs
Component
ftp-srv
Fixed in
1.0.1
3.0.1
4.0.1
2.19.6
CVE-2020-15152 is a critical Remote Code Execution (RCE) vulnerability affecting the ftp-srv module in Node.js. This vulnerability arises from improper handling of the PORT command, allowing attackers to manipulate the server's connection target. Versions of ftp-srv prior to 2.19.6 are vulnerable. A fix has been released in version 2.19.6.
The vulnerability lies in the ftp-srv module's handling of the PORT command within the FTP protocol. The PORT command allows a client to specify the IP address and port to which the server should connect for data transfer. CVE-2020-15152 allows a malicious client to inject an arbitrary IP address into this command, effectively redirecting the server's connection to a host controlled by the attacker. This can lead to arbitrary code execution on the server, potentially granting the attacker full control over the system. The blast radius extends to any system running a vulnerable Node.js application utilizing the ftp-srv module, and successful exploitation could result in data breaches, system compromise, and further lateral movement within the network.
CVE-2020-15152 was publicly disclosed on August 17, 2020. While no active exploitation campaigns have been definitively confirmed, the CRITICAL severity and the relatively straightforward nature of the exploit suggest a potential for exploitation. It is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are available, increasing the risk of opportunistic attacks.
Exploit Status
EPSS
0.22% (44% percentile)
CVSS Vector
The primary mitigation for CVE-2020-15152 is to upgrade to version 2.19.6 or later of the ftp-srv module. If upgrading is not immediately feasible, consider implementing temporary workarounds. One approach is to restrict outbound connections from the FTP server to only trusted IP addresses using a firewall or network segmentation. Additionally, carefully review and validate all incoming FTP commands, specifically the PORT command, to ensure they adhere to expected patterns. There are no specific Sigma or YARA rules readily available for this vulnerability, but monitoring for unusual outbound connections from the FTP server process can be a useful detection technique.
Update the ftp-srv package to version 2.19.6, 3.1.2, or 4.3.4 or higher. This corrects the Server-Side Request Forgery (SSRF) vulnerability in the PORT command. Alternatively, you can block the PORT command through FTP server configuration.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2020-15152 is a critical Remote Code Execution vulnerability in the Node.js ftp-srv module, allowing attackers to execute arbitrary code on the server by manipulating the PORT command.
You are affected if you are using a version of Node.js ftp-srv prior to 2.19.6. Check your installed version and upgrade immediately.
Upgrade to version 2.19.6 or later of the ftp-srv module. If upgrading is not possible, implement temporary workarounds like restricting outbound connections.
While no confirmed active campaigns are publicly known, the CRITICAL severity and available proof-of-concept exploits suggest a potential for exploitation.
Refer to the Node.js security advisories and the ftp-srv module's repository for detailed information and updates: https://nodejs.org/en/security/ and https://github.com/adrianleon/node-ftp-srv
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.