oss-sec mailing list archives

[oss-security][CVE-2026-8328] CPython: FTP PASV SSRF, ftpcp() does not use actual peer address, trusts server-supplied PASV host address

From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Wed, 13 May 2026 17:05:42 -0700




-------- Forwarded Message --------

Subject: [Security-announce][CVE-2026-8328] FTP PASV SSRF, ftpcp() does not useactual peer address, trusts server-supplied PASV host address

Date:   Wed, 13 May 2026 20:15:52 +0000
From:   Seth Larson <seth () python org>
Reply-To:       security-sig () python org
To:     security-announce () python org



There is a MEDIUM severity vulnerability affecting CPython.

The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 wasfixed. While makepasv() was patched to replace server-supplied PASV hostaddresses with the actual peer address (getpeername()[0]), ftpcp() still callsparse227() directly and passes the raw attacker-controllable IP address and portto target.sendport().


Please see the linked CVE ID for the latest information on affected versions:

* https://www.cve.org/CVERecord?id=CVE-2026-8328
* https://github.com/python/cpython/pull/149648

_______________________________________________
Security-announce mailing list -- security-announce () python org
To unsubscribe send an email to security-announce-leave () python org
https://mail.python.org/mailman3//lists/security-announce.python.org

Current thread:

[oss-security][CVE-2026-8328] CPython: FTP PASV SSRF, ftpcp() does not use actual peer address, trusts server-supplied PASV host address Alan Coopersmith (May 13)