GHSA-6V7Q-WJVX-W8WG: Arbitrary FTP Command Execution via CRLF Injection in basic-ftp
Vulnerability ID: GHSA-6V7Q-WJVX-W8WG
CVSS Score: 8.1
Published: 2026-04-10
The basic-ftp npm package prior to version 5.2.2 contains a CRLF injection vulnerability due to incomplete input validation. This flaw allows an attacker who controls credentials or directory inputs to execute arbitrary FTP commands on the target server.
TL;DR
CRLF injection in basic-ftp < 5.2.2 permits arbitrary FTP command execution when handling unvalidated credentials and directory names.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-93
- Attack Vector: Network
- CVSS Score: 8.1
- Impact: Arbitrary FTP Command Execution
- Exploit Status: PoC
- KEV Status: Not Listed
Affected Systems
- basic-ftp < 5.2.2
-
basic-ftp: < 5.2.2 (Fixed in:
5.2.2)
Code Analysis
Commit: 20327d3
Fix CRLF injection by moving validation to the FtpContext send method
Mitigation Strategies
- Upgrade basic-ftp package to version 5.2.2 or higher.
- Implement strict application-level sanitization for all inputs passed to FTP connection and path manipulation functions.
- Monitor network traffic and FTP server logs for sequential commands executed within unexpectedly short timeframes.
Remediation Steps:
- Identify all projects utilizing the
basic-ftpnpm package. - Update the package dependencies to use version
^5.2.2. - Run package manager update commands (e.g.,
npm install basic-ftp@latestoryarn upgrade basic-ftp). - Verify the application handles user credentials and file paths correctly after the update.
- Deploy the updated application to production environments.
References
- GitHub Advisory GHSA-6V7Q-WJVX-W8WG
- Fix Commit 20327d35126e57e5fdbaae79a4b65222fbadc53c
- Release 5.2.2
Read the full report for GHSA-6V7Q-WJVX-W8WG on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)