CVE-2026-39983
FTP Command Injection in basic-ftp via CRLF in Path Parameters
Publication date: 2026-04-09
Last updated on: 2026-04-14
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| patrickjuchli | basic-ftp | to 5.2.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-93 | The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39983 is a vulnerability in the basic-ftp Node.js FTP client that allows FTP command injection via CRLF (Carriage Return Line Feed) sequences in file path parameters. The issue arises because the library's protectWhitespace() function only handles leading spaces and does not sanitize or reject CR or LF characters within the path. When these unsanitized paths are passed to FTP commands like cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(), the CRLF sequences split one intended FTP command into multiple commands. This enables an attacker to inject arbitrary FTP commands.
The vulnerability is fixed in version 5.2.1 by adding validation that rejects any path containing control characters such as carriage return, line feed, or null byte, preventing command injection attempts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in basic-ftp allows FTP command injection via CRLF sequences in file path parameters, which can lead to unauthorized file deletion, directory manipulation, file exfiltration, and session hijacking. Such unauthorized access and manipulation of files could potentially result in breaches of confidentiality and integrity of sensitive data.
Given that regulations like GDPR and HIPAA require protection of personal and sensitive data against unauthorized access and modification, exploitation of this vulnerability could lead to non-compliance with these standards due to potential data breaches or loss of data integrity.
Therefore, systems using vulnerable versions of basic-ftp may face increased risk of violating compliance requirements related to data security and privacy.
How can this vulnerability impact me? :
This vulnerability allows an attacker who can control file path parameters to inject arbitrary FTP commands. Potential impacts include:
- Arbitrary file deletion by injecting commands like DELE.
- Directory manipulation through commands such as MKD or RMD.
- File exfiltration by injecting RETR commands to download files.
- Execution of server commands on FTP servers that support SITE EXEC.
- Session hijacking by injecting USER or PASS commands.
- Service disruption by injecting QUIT commands to terminate sessions.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring FTP commands sent by the basic-ftp client for unexpected or injected FTP commands caused by CRLF sequences in file path parameters.
One approach is to capture and analyze FTP traffic on the network to identify commands that appear split or contain injected commands such as DELE, MKD, RNFR, RNTO, RETR, USER, PASS, or QUIT that were not intended by the client.
Specifically, you can use network packet capture tools like tcpdump or Wireshark to filter FTP control traffic and look for suspicious command sequences.
- Use tcpdump to capture FTP control traffic on port 21: tcpdump -i <interface> -A port 21
- In Wireshark, filter with: ftp && (ftp.request.command == "DELE" || ftp.request.command == "MKD" || ftp.request.command == "RNFR" || ftp.request.command == "RNTO" || ftp.request.command == "RETR" || ftp.request.command == "USER" || ftp.request.command == "PASS" || ftp.request.command == "QUIT")
Additionally, reviewing logs of the FTP server or any mock FTP server used for testing can reveal injected commands triggered by malicious path inputs.
On the client side, inspecting or instrumenting the basic-ftp library's protectWhitespace() function or adding validation to detect control characters (\r, \n, \0) in path parameters can help detect attempts to exploit this vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation is to sanitize all file path inputs passed to the basic-ftp client by rejecting or removing any control characters such as carriage return (\r), line feed (\n), or null bytes (\0).
This prevents injection of unintended FTP commands via CRLF sequences in path parameters.
Upgrading the basic-ftp library to version 5.2.1 or later is strongly recommended, as this version includes a fix that rejects paths containing control characters by validating inputs in the protectWhitespace() method.
If upgrading immediately is not possible, implement input validation in your application code to detect and block any path containing control characters before passing it to basic-ftp.