CVE-2019-25588
Buffer Overflow in BulletProof FTP Server DNS Causes DoS Crash
Publication date: 2026-03-22
Last updated on: 2026-03-25
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bpftpserver | bulletproof_ftp_server | 2019.0.0.50 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1282 | Immutable data, such as a first-stage bootloader, device identifiers, and "write-once" configuration settings are stored in writable memory that can be re-programmed or updated in the field. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2019-25588 is a denial of service (DoS) vulnerability in BulletProof FTP Server version 2019.0.0.50. It occurs because the application improperly handles an excessively long string input in the DNS Address field within the Firewall settings.'}, {'type': 'paragraph', 'content': "A local attacker can enable the DNS Address option and supply a buffer of about 700 bytes. When the 'Test' function is invoked, this causes the application to crash, resulting in a denial of service."}, {'type': 'paragraph', 'content': 'This vulnerability is classified under CWE-1282, involving assumed-immutable data stored in writable memory.'}] [3, 4]
How can this vulnerability impact me? :
This vulnerability can cause the BulletProof FTP Server application to crash, leading to a denial of service condition.
Since the attack requires local access but no privileges or user interaction, an attacker with local access can disrupt the availability of the FTP server by triggering this crash.
The impact is specifically on availability, meaning legitimate users may be unable to use the FTP service while the server is crashed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by testing the DNS Address field in the BulletProof FTP Server firewall settings with an excessively long string of approximately 700 bytes. When the 'Test' function is invoked with this input, the application crashes, indicating the presence of the vulnerability."}, {'type': 'paragraph', 'content': "A proof-of-concept method involves generating a payload consisting of 700 'A' characters, copying it to the clipboard, enabling the DNS Address option in the firewall settings, pasting the payload, and clicking the 'Test' button to observe if the server crashes."}, {'type': 'paragraph', 'content': 'The steps to reproduce the detection are:'}, {'type': 'list_item', 'content': 'Run the provided Python script (BulletProof_DNS_Server_2019.0.0.50.py) to generate the payload file.'}, {'type': 'list_item', 'content': 'Open the generated file (bullet_storage.txt), copy its contents to the clipboard.'}, {'type': 'list_item', 'content': 'Open BulletProof FTP Server and navigate to Settings > Protocols > FTP > Firewall.'}, {'type': 'list_item', 'content': "Enable the 'DNS Address' option and paste the clipboard content."}, {'type': 'list_item', 'content': "Click the 'Test' button and check if the application crashes."}] [4]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding enabling the DNS Address option in the firewall settings of BulletProof FTP Server version 2019.0.0.50 or earlier, as this is the feature exploited by the vulnerability.
If the DNS Address option must be used, ensure that no excessively long strings (around 700 bytes) are entered into this field to prevent triggering the denial of service.
Additionally, consider updating to a newer, patched version of BulletProof FTP Server if available, or applying any vendor-provided patches or workarounds once released.