basic-ftp CRLF command injection (CVE-2026-39983)

Overview

A command injection vulnerability, tracked as CVE-2026-39983, exists in the basic-ftp library for Node.js. This library is a widely used FTP client. The flaw allows an attacker who controls a file path parameter-such as one derived from user input-to inject arbitrary FTP commands into the control connection.

Vulnerability Details

The vulnerability stems from insufficient sanitization of file path arguments passed to high-level API methods like cd(), remove(), uploadFrom(), and list(). The library’s protectWhitespace() helper function only protects against leading spaces, leaving carriage return and line feed (\r\n) sequences untouched. When the FtpContext.send() method constructs the final FTP command, it appends its own \r\n sequence to terminate the command. If an attacker-supplied path contains \r\n, it splits the intended single command, allowing the following text to be executed as a new, separate FTP command. This grants the attacker the ability to issue any command the FTP server permits, such as deleting files, uploading malicious content, or retrieving sensitive data.

Impact

With a high CVSS score of 8.6, this vulnerability poses a significant risk. The attack vector is network-based, requires no privileges or user interaction, and is of low complexity. An attacker exploiting this flaw could achieve remote command execution on the FTP server’s context, leading to data theft, data destruction, or a compromised server that could be used as a foothold for further attacks. For organizations handling sensitive data transfers via FTP, this is a critical security concern. You can find reports on related data breach incidents at breach reports.

Remediation and Mitigation

The primary and immediate action is to upgrade the basic-ftp package to version 5.2.1 or later, where this vulnerability has been fixed.

Actionable Steps:

1. Update: Run npm update basic-ftp in your project directory to install version 5.2.1.
2. Verify: Check your package.json and package-lock.json files to confirm the version is ^5.2.1.
3. Audit Input: As a general security practice, rigorously validate and sanitize all user-supplied input that is passed to file system or network APIs, even when using a trusted library. Assume all input is malicious until proven otherwise.

If an immediate update is not possible, audit all code paths where user-controlled data is passed to any basic-ftp method that accepts a path, and implement strict validation to reject strings containing CRLF (\r\n) sequences.

Security Insight

This vulnerability highlights the persistent risk of injection attacks when data and control channels are not properly separated. It is reminiscent of classic web vulnerabilities like HTTP header injection or SQL injection, now manifesting in a protocol-specific client library. The flaw’s presence in a helper function named protectWhitespace() suggests a security gap where a partial mitigation was mistaken for a complete one, a common pitfall in secure coding. For the latest on such vulnerabilities, follow security news.

Further Reading

• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs