CVE-2019-25683
Received Received - Intake
Denial of Service in FileZilla 3.40.0 Local Search

Publication date: 2026-04-05

Last updated on: 2026-04-09

Assigner: VulnCheck

Description
FileZilla 3.40.0 contains a denial of service vulnerability in the local search functionality that allows local attackers to crash the application by supplying a malformed path string. Attackers can trigger the crash by entering a crafted path containing 384 'A' characters followed by 'BBBB' and 'CCCC' sequences in the search directory field and initiating a local search operation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-05
Last Modified
2026-04-09
Generated
2026-06-16
AI Q&A
2026-04-06
EPSS Evaluated
2026-06-15
NVD
CVE-2019-25683
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
filezilla-project filezilla_client 3.40.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-532 The product writes sensitive information to a log file.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in FileZilla version 3.40.0 and is a denial of service issue within the local search functionality.

Local attackers can cause the application to crash by providing a specially crafted malformed path string.

Specifically, the attacker inputs a path containing 384 'A' characters followed by 'BBBB' and 'CCCC' sequences into the search directory field and initiates a local search, which triggers the crash.

Impact Analysis

The primary impact of this vulnerability is a denial of service condition.

An attacker with local access can crash the FileZilla application, causing disruption of service.

This could lead to loss of availability of the application until it is restarted or the issue is resolved.

Detection Guidance

This vulnerability is triggered by a local attacker supplying a malformed path string in the local search functionality of FileZilla 3.40.0. Detection involves checking if the application crashes when a crafted path containing 384 'A' characters followed by 'BBBB' and 'CCCC' sequences is entered in the search directory field and a local search is initiated.

Since this is a local denial of service vulnerability, network detection commands are not applicable. Detection should be performed by attempting the described malformed input in a controlled environment to observe if the application crashes.

Mitigation Strategies

Immediate mitigation steps include avoiding the use of the local search functionality in FileZilla 3.40.0 until a patch or update is available that addresses this vulnerability.

Additionally, restrict local user access to the FileZilla application to trusted users only, minimizing the risk of exploitation by local attackers.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2019-25683. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart