CVE-2025-14242

NameCVE-2025-14242
DescriptionA flaw was found in vsftpd. This vulnerability allows a denial of service (DoS) via an integer overflow in the ls command parameter parsing, triggered by a remote, authenticated attacker sending a crafted STAT command with a specific byte sequence.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
vsftpd (PTS)bullseye3.0.3-12fixed
bookworm3.0.3-13fixed
trixie3.0.5-0.2fixed
forky, sid3.0.5-0.4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
vsftpdsource(unstable)(not affected)

Notes

- vsftpd <not-affected> (Vulnerable code introduced in RedHat specific patch)
https://bugzilla.redhat.com/show_bug.cgi?id=2419826
RedHat specific patch fix: https://src.fedoraproject.org/rpms/vsftpd/c/2ed5ba6e77f1c3e365fb4b0028945f762c456131
Search for package or bug name: Reporting problems