GHSA-CHQC-8P9Q-PQ6Q: FTP Command Injection via CRLF Sequences in basic-ftp
Vulnerability ID: GHSA-CHQC-8P9Q-PQ6Q
CVSS Score: 8.6
Published: 2026-04-08
The basic-ftp library for Node.js (version 5.2.0) is vulnerable to FTP command injection due to improper neutralization of CRLF sequences. An attacker controlling path inputs can append arbitrary commands to the FTP control socket, potentially leading to unauthorized file deletion, modification, or session hijacking.
TL;DR
basic-ftp 5.2.0 fails to sanitize CRLF characters in path inputs, allowing attackers to inject arbitrary FTP commands into the control socket. The issue is resolved in version 5.2.1.
⚠️ Exploit Status: POC
Technical Details
- Vulnerability Type: CRLF Injection
- CWE ID: CWE-93
- CVSS v3.1 Score: 8.6
- Attack Vector: Network
- Exploit Status: Proof of Concept
- Affected Component: basic-ftp (npm)
Affected Systems
- Node.js applications using basic-ftp version 5.2.0
-
basic-ftp: 5.2.0 (Fixed in:
5.2.1)
Code Analysis
Commit: 2ecc8e2
Fix CRLF injection vulnerability by rejecting control characters in protectWhitespace
Mitigation Strategies
- Upgrade basic-ftp to version 5.2.1 or later
- Implement strict input validation on all user-supplied file paths
- Enforce principle of least privilege for backend FTP service accounts
Remediation Steps:
- Identify all projects utilizing the basic-ftp package in the environment.
- Update the package.json manifest to require basic-ftp version >= 5.2.1.
- Execute dependency installation to pull the patched version.
- Deploy the updated application build to production environments.
- Review FTP service account permissions and restrict them to necessary actions only.
References
Read the full report for GHSA-CHQC-8P9Q-PQ6Q on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)