CVE-2026-39983
Received Received - Intake
FTP Command Injection in basic-ftp via CRLF in Path Parameters

Publication date: 2026-04-09

Last updated on: 2026-04-14

Assigner: GitHub, Inc.

Description
basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences (\r\n) in file path parameters passed to high-level path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The library's protectWhitespace() helper only handles leading spaces and returns other paths unchanged, while FtpContext.send() writes the resulting command string directly to the control socket with \r\n appended. This lets attacker-controlled path strings split one intended FTP command into multiple commands. This vulnerability is fixed in 5.2.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-09
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-04-09
EPSS Evaluated
2026-06-14
NVD
CVE-2026-39983
EUVD
EUVD-2026-20976
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
patrickjuchli basic-ftp to 5.2.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-93 The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in basic-ftp allows FTP command injection via CRLF sequences in file path parameters, which can lead to unauthorized file deletion, directory manipulation, file exfiltration, and session hijacking. Such unauthorized access and manipulation of files could potentially result in breaches of confidentiality and integrity of sensitive data.

Given that regulations like GDPR and HIPAA require protection of personal and sensitive data against unauthorized access and modification, exploitation of this vulnerability could lead to non-compliance with these standards due to potential data breaches or loss of data integrity.

Therefore, systems using vulnerable versions of basic-ftp may face increased risk of violating compliance requirements related to data security and privacy.

Executive Summary

CVE-2026-39983 is a vulnerability in the basic-ftp Node.js FTP client that allows FTP command injection via CRLF (Carriage Return Line Feed) sequences in file path parameters. The issue arises because the library's protectWhitespace() function only handles leading spaces and does not sanitize or reject CR or LF characters within the path. When these unsanitized paths are passed to FTP commands like cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(), the CRLF sequences split one intended FTP command into multiple commands. This enables an attacker to inject arbitrary FTP commands.

The vulnerability is fixed in version 5.2.1 by adding validation that rejects any path containing control characters such as carriage return, line feed, or null byte, preventing command injection attempts.

Impact Analysis

This vulnerability allows an attacker who can control file path parameters to inject arbitrary FTP commands. Potential impacts include:

  • Arbitrary file deletion by injecting commands like DELE.
  • Directory manipulation through commands such as MKD or RMD.
  • File exfiltration by injecting RETR commands to download files.
  • Execution of server commands on FTP servers that support SITE EXEC.
  • Session hijacking by injecting USER or PASS commands.
  • Service disruption by injecting QUIT commands to terminate sessions.
Detection Guidance

This vulnerability can be detected by monitoring FTP commands sent by the basic-ftp client for unexpected or injected FTP commands caused by CRLF sequences in file path parameters.

One approach is to capture and analyze FTP traffic on the network to identify commands that appear split or contain injected commands such as DELE, MKD, RNFR, RNTO, RETR, USER, PASS, or QUIT that were not intended by the client.

Specifically, you can use network packet capture tools like tcpdump or Wireshark to filter FTP control traffic and look for suspicious command sequences.

  • Use tcpdump to capture FTP control traffic on port 21: tcpdump -i <interface> -A port 21
  • In Wireshark, filter with: ftp && (ftp.request.command == "DELE" || ftp.request.command == "MKD" || ftp.request.command == "RNFR" || ftp.request.command == "RNTO" || ftp.request.command == "RETR" || ftp.request.command == "USER" || ftp.request.command == "PASS" || ftp.request.command == "QUIT")

Additionally, reviewing logs of the FTP server or any mock FTP server used for testing can reveal injected commands triggered by malicious path inputs.

On the client side, inspecting or instrumenting the basic-ftp library's protectWhitespace() function or adding validation to detect control characters (\r, \n, \0) in path parameters can help detect attempts to exploit this vulnerability.

Mitigation Strategies

The immediate mitigation is to sanitize all file path inputs passed to the basic-ftp client by rejecting or removing any control characters such as carriage return (\r), line feed (\n), or null bytes (\0).

This prevents injection of unintended FTP commands via CRLF sequences in path parameters.

Upgrading the basic-ftp library to version 5.2.1 or later is strongly recommended, as this version includes a fix that rejects paths containing control characters by validating inputs in the protectWhitespace() method.

If upgrading immediately is not possible, implement input validation in your application code to detect and block any path containing control characters before passing it to basic-ftp.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39983. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart