CVE-2019-25711
Received Received - Intake
Buffer Overflow in SpotFTP Password Recover 2.4.2 Causes DoS

Publication date: 2026-04-12

Last updated on: 2026-04-17

Assigner: VulnCheck

Description
SpotFTP Password Recover 2.4.2 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an oversized buffer in the Name field during registration. Attackers can generate a 256-byte payload, paste it into the Name input field, and trigger a crash when submitting the registration code.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-12
Last Modified
2026-04-17
Generated
2026-06-16
AI Q&A
2026-04-12
EPSS Evaluated
2026-06-15
NVD
CVE-2019-25711
EUVD
EUVD-2019-20145
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nsasoft spotftp 2.4.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-807 The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2019-25711 is a denial of service (DoS) vulnerability in SpotFTP Password Recover version 2.4.2 and earlier. It occurs when a local attacker inputs an oversized bufferβ€”specifically a 256-byte payloadβ€”into the Name field during the software's registration process. This causes the application to crash due to improper handling of the input.

The vulnerability is related to CWE-807, which involves reliance on untrusted inputs in a security decision. The exploit involves pasting a crafted 256-byte string into the Name field and submitting the registration code, triggering the crash.

Impact Analysis

This vulnerability can impact you by causing the SpotFTP Password Recover application to crash unexpectedly when a maliciously crafted input is provided locally. This denial of service can disrupt normal operations of the software, potentially preventing legitimate users from using the password recovery functionality.

Since the attack requires local access and no privileges or user interaction, an attacker with local access can exploit this to cause application instability or downtime.

Detection Guidance

This vulnerability can be detected by attempting to reproduce the crash condition locally on the system running SpotFTP Password Recover 2.4.2. Specifically, a test can be performed by creating a 256-byte payload and inputting it into the Name field during the registration process to see if the application crashes.

A practical approach involves generating a text file containing 256 'A' characters, copying this buffer to the clipboard, and pasting it into the Name input field in the registration dialog, then submitting the registration code.

There are no specific network detection commands mentioned, as this is a local vulnerability triggered by user input. Detection is primarily through local testing of the application behavior.

Mitigation Strategies

Immediate mitigation steps include avoiding the use of SpotFTP Password Recover version 2.4.2 or earlier until a patch or update is available that addresses this vulnerability.

Restrict local access to the system running the vulnerable application to trusted users only, as the attack requires local access.

Do not input oversized buffers (256 bytes or more) into the Name field during registration to prevent triggering the denial of service.

Monitor for updates or patches from the vendor or security advisories that address this vulnerability.

Compliance Impact

The provided information does not include any details about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2019-25711. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart