ftplib should not use the host from the PASV response


This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This database can be viewed online at the Open Source Vulnerability Database.

The IPv4 address value returned from the server in response to the PASV command should not be trusted. This prevents a malicious FTP server from using the response to probe IPv4 address and port combinations on the client network.

Instead of using the returned address, we use the IP address we’re already connected to. This is the strategy other ftp clients adopted, and matches the only strategy available for the modern IPv6 EPSV command where the server response must return a port number and nothing else.


  • Disclosure date: 2021-02-21 (Python issue bpo-43285 reported)

Fixed In

Python issue

ftplib should not use the host from the PASV response.

  • Python issue: bpo-43285
  • Creation date: 2021-02-21
  • Reporter: confd0


Timeline using the disclosure date 2021-02-21 as reference: