CVE-2026-39983 — CRLF Injection in Basic-ftp

CWE-93 — CRLF Injection88 documents7 sources

Severity

8.6HIGHNVD

EPSS

7.0%

top 8.52%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Patrickjuchli Basic-ftp

Timeline

PublishedApr 9

Description

basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences (\r\n) in file path parameters passed to high-level path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The library's protectWhitespace() helper only handles leading spaces and returns other paths unchanged, while FtpContext.send() writes the resulting command string directly to the control socket with \r\n appended. This lets attacker-con…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:LExploitability: 3.9 | Impact: 4.7

Affected Packages2 packages

▶CVEListV5patrickjuchli/basic-ftp< 5.2.1

▶npmpatrickjuchli/basic-ftp5.2.0 — 5.2.1

🔴Vulnerability Details

VulDB

patrickjuchli basic-ftp up to 5.2.0 path crlf injection↗2026-04-09

▶

GHSA

basic-ftp has FTP Command Injection via CRLF↗2026-04-08

▶

OSV

basic-ftp has FTP Command Injection via CRLF↗2026-04-08

▶

📋Vendor Advisories

Red Hat

basic-ftp: basic-ftp: Command injection via CRLF sequences in file path parameters↗2026-04-09

▶

🕵️Threat Intelligence

Wiz

GHSA-qqq7-4hxc-x63c Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-34510 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-39409 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

GHSA-846p-hgpv-vphc Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

GHSA-m34q-h93w-vg5x Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

💬Community

Bugzilla

CVE-2026-39983 basic-ftp: basic-ftp: Command injection via CRLF sequences in file path parameters↗2026-04-09

▶