CVE-2025-65403 Overview
CVE-2025-65403 is a buffer overflow vulnerability in the g_cfg.MaxUsers component of LightFTP v2.0, an open-source lightweight File Transfer Protocol (FTP) server maintained by hfiref0x. A remote attacker can submit crafted input that overflows the buffer and triggers a Denial of Service (DoS) condition. The flaw is classified under CWE-120: Buffer Copy without Checking Size of Input. Exploitation requires user interaction but no authentication, and the impact is limited to service availability. Confidentiality and integrity of FTP data on the host are not directly affected by this issue.
Critical Impact
Remote attackers can crash the LightFTP service through crafted input, disrupting file transfer operations for all connected users.
Affected Products
- LightFTP v2.0 (hfiref0x:lightftp:2.0)
- Deployments referencing the g_cfg.MaxUsers configuration handler
- Downstream forks and builds based on the LightFTP 2.0 codebase
Discovery Timeline
- 2025-12-01 - CVE-2025-65403 published to the National Vulnerability Database (NVD)
- 2025-12-05 - Last updated in NVD database
Technical Details for CVE-2025-65403
Vulnerability Analysis
The vulnerability resides in how LightFTP v2.0 processes the g_cfg.MaxUsers configuration value. The server reads input into a fixed-size buffer without validating the length of the supplied data. When the input exceeds the allocated buffer, adjacent memory is overwritten, causing the FTP daemon to terminate abnormally.
The issue maps to [CWE-120], a classic buffer copy without bounds checking. While memory corruption flaws of this class can sometimes enable code execution, the CVSS impact metrics for CVE-2025-65403 indicate the practical outcome is limited to availability loss. Confidentiality and integrity remain intact.
Because LightFTP is typically deployed as a long-running network service, a crash forces administrators to restart the daemon and disrupts any active sessions. Repeated triggering enables a sustained denial of service against the affected host.
Root Cause
The root cause is missing input length validation when parsing the MaxUsers value into the g_cfg configuration structure. The destination buffer is sized for an expected configuration value, but no boundary check rejects oversized input prior to the copy operation.
Attack Vector
The attack vector is network-based. An attacker delivers crafted input that reaches the g_cfg.MaxUsers parsing path, causing the overflow. The CVSS vector indicates user interaction is required, suggesting the trigger involves administrator-supplied or attacker-influenced configuration data being loaded by the server.
No public proof-of-concept exploit is currently catalogued in Exploit-DB, and the vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog. The EPSS data indicates a low predicted likelihood of exploitation in the near term. Refer to the LightFTP GitHub repository for source-level context.
Detection Methods for CVE-2025-65403
Indicators of Compromise
- Unexpected termination or crash logs from the LightFTP service process
- Oversized or malformed values supplied to the MaxUsers configuration field
- Repeated FTP service restarts within short time windows on the affected host
- Loss of FTP service availability without corresponding administrative action
Detection Strategies
- Monitor LightFTP process lifecycle events for abnormal exits and segmentation faults
- Inspect configuration files and runtime inputs for MaxUsers values exceeding expected numeric ranges
- Correlate FTP service crashes with inbound network connections from untrusted sources
- Apply file integrity monitoring to LightFTP configuration files to detect tampering
Monitoring Recommendations
- Enable verbose logging on the LightFTP daemon to capture parser-level errors
- Forward FTP server logs and process crash telemetry to a centralized SIEM for correlation
- Alert on repeated daemon restarts within short intervals, which may indicate active exploitation attempts
- Track network connections to the FTP listener for anomalous request patterns preceding crashes
How to Mitigate CVE-2025-65403
Immediate Actions Required
- Inventory all LightFTP v2.0 deployments and identify internet-exposed instances
- Restrict network access to the FTP service using firewall rules or access control lists
- Validate that configuration files contain only expected, bounded values for MaxUsers
- Monitor the LightFTP GitHub repository for an upstream patch addressing the buffer overflow
Patch Information
At the time of publication, no vendor advisory or fixed release is listed in the NVD entry for CVE-2025-65403. Administrators should track the upstream LightFTP project for code commits that add length validation to the g_cfg.MaxUsers parsing routine and apply the fix once available. Additional technical context is provided in the referenced Shimo documentation.
Workarounds
- Place LightFTP behind a network segmentation boundary that restricts access to trusted clients
- Disable the LightFTP service on hosts where FTP functionality is not required
- Replace LightFTP with a maintained FTP or SFTP server until a patched release is available
- Use a reverse proxy or protocol-aware gateway to filter malformed FTP traffic before it reaches the server
# Configuration example: restrict LightFTP access using iptables
iptables -A INPUT -p tcp --dport 21 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

