cbcvebase.
CVE-2026-39983
published 2026-04-09

CVE-2026-39983: basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences (\r\n) in file path parameters passed to…

PriorityP260high8.6CVSS 3.1
AVNACLPRNUINSUCLIHAL
EPSS
2.19%
80.1th percentile
basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences (\r\n) in file path parameters passed to high-level path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The library's protectWhitespace() helper only handles leading spaces and returns other paths unchanged, while FtpContext.send() writes the resulting command string directly to the control socket with \r\n appended. This lets attacker-controlled path strings split one intended FTP command into multiple commands. This vulnerability is fixed in 5.2.1.

Affected

2 ranges
VendorProductVersion rangeFixed in
patrickjuchlibasic-ftp< 5.2.15.2.1
patrickjuchlibasic-ftp>= 5.2.0 < 5.2.15.2.1

Detection & IOCsextracted from sources · hover to see the quote

  • FTP command injection via CRLF sequences (\r\n) embedded in file path parameters passed to basic-ftp high-level APIs (cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), removeDir()). Detect \r\n within FTP path arguments on the control socket.
  • The vulnerable code path is FtpContext.send(), which writes the command string directly to the control socket with \r\n appended without sanitising embedded CRLF in the path. Monitor FTP control-channel traffic for unexpected multi-command sequences originating from a single client request.
  • The protectWhitespace() helper in basic-ftp only strips leading spaces and does not strip or reject embedded CRLF characters; any path argument containing \r\n bypasses this guard entirely.
  • ·Vulnerability affects basic-ftp versions prior to 5.2.1 only. Instances running 5.2.1 or later are not affected.

CVSS provenance

nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
vendor_redhat8.6HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.