CVE-2019-25711
Buffer Overflow in SpotFTP Password Recover 2.4.2 Causes DoS
Publication date: 2026-04-12
Last updated on: 2026-04-17
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nsasoft | spotftp | 2.4.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-807 | The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2019-25711 is a denial of service (DoS) vulnerability in SpotFTP Password Recover version 2.4.2 and earlier. It occurs when a local attacker inputs an oversized bufferβspecifically a 256-byte payloadβinto the Name field during the software's registration process. This causes the application to crash due to improper handling of the input.
The vulnerability is related to CWE-807, which involves reliance on untrusted inputs in a security decision. The exploit involves pasting a crafted 256-byte string into the Name field and submitting the registration code, triggering the crash.
How can this vulnerability impact me? :
This vulnerability can impact you by causing the SpotFTP Password Recover application to crash unexpectedly when a maliciously crafted input is provided locally. This denial of service can disrupt normal operations of the software, potentially preventing legitimate users from using the password recovery functionality.
Since the attack requires local access and no privileges or user interaction, an attacker with local access can exploit this to cause application instability or downtime.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to reproduce the crash condition locally on the system running SpotFTP Password Recover 2.4.2. Specifically, a test can be performed by creating a 256-byte payload and inputting it into the Name field during the registration process to see if the application crashes.
A practical approach involves generating a text file containing 256 'A' characters, copying this buffer to the clipboard, and pasting it into the Name input field in the registration dialog, then submitting the registration code.
There are no specific network detection commands mentioned, as this is a local vulnerability triggered by user input. Detection is primarily through local testing of the application behavior.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the use of SpotFTP Password Recover version 2.4.2 or earlier until a patch or update is available that addresses this vulnerability.
Restrict local access to the system running the vulnerable application to trusted users only, as the attack requires local access.
Do not input oversized buffers (256 bytes or more) into the Name field during registration to prevent triggering the denial of service.
Monitor for updates or patches from the vendor or security advisories that address this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not include any details about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.