CVE-2026-39983

basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences (\r\n) in file path parameters passed to high-level path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The library's protectWhitespace() helper only handles leading spaces and returns other paths unchanged, while FtpContext.send() writes the resulting command string directly to the control socket with \r\n appended. This lets attacker-controlled path strings split one intended FTP command into multiple commands. This vulnerability is fixed in 5.2.1.

CVSS v3 8.6 HIGH

8.6^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact HIGH

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/patrickjuchli/basic-ftp/commit/2ecc8e2c500c5234115f06fd1dbde1aa03d70f4b
https://github.com/patrickjuchli/basic-ftp/releases/tag/v5.2.1
https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-chqc-8p9q-pq6q
https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-chqc-8p9q-pq6q

Configurations

No configuration.

History

09 Apr 2026, 20:16

Type	Values Removed	Values Added
References	~~() https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-chqc-8p9q-pq6q -~~	() https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-chqc-8p9q-pq6q -

09 Apr 2026, 18:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-09 18:17

Updated : 2026-04-09 20:16

NVD link : CVE-2026-39983

Mitre link : CVE-2026-39983

CVE.ORG link : CVE-2026-39983

JSON object : View

Products Affected

No product.

CWE

CWE-93

Improper Neutralization of CRLF Sequences ('CRLF Injection')

8.6 /10