basic-ftp version 5.2.0 allows FTP command injection via CRLF sequences (\r\n) in file path parameters passed to high-level path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The library's protectWhitespace() helper only handles leading spaces and returns other paths unchanged, while FtpContext.send() writes the resulting command string directly to the control socket with \r\n appended. This lets attacker-controlled path strings split one intended FTP command into multiple commands.
| Product | Affected versions | Fixed version | | --- | --- | --- | | basic-ftp (npm) | 5.2.0 (confirmed) | no fix available as of 2026-04-04 |
CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')8.6 (High)CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:Ldist/Client.js, all path-handling methods via protectWhitespace() and send()The vulnerability exists because of two interacting code patterns:
1. Inadequate path sanitization in protectWhitespace() (line 677):
async protectWhitespace(path) {
if (!path.startsWith(" ")) {
return path; // No sanitization of \r\n characters
}
const pwd = await this.pwd();
const absolutePathPrefix = pwd.endsWith("/") ? pwd : pwd + "/";
return absolutePathPrefix + path;
}
This function only handles leading whitespace. It does not strip or reject \r (0x0D) or \n (0x0A) characters anywhere in the path string.
2. Direct socket write in send() (FtpContext.js line 177):
send(command) {
this._socket.write(command + "\r\n", this.encoding);
}
The send() method appends \r\n to the command and writes directly to the TCP socket. If the command string already contains \r\n sequences (from unsanitized path input), the FTP server interprets them as command...
5.2.05.2.1Exploitability
AV:NAC:LPR:NUI:NScope
S:UImpact
C:LI:HA:L8.6/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L