basic-ftp CRLF command injection (CVE-2026-39983)

Vendor-confirmed - CVE-2026-39983 is a high-severity command-injection vulnerability in basic-ftp versions prior to 5.2.1 that grants unauthenticated attackers remote code execution on FTP servers by injecting CRLF sequences into file path parameters.

Overview

A command injection vulnerability, tracked as CVE-2026-39983, exists in the basic-ftp library for Node.js. This library is a widely used FTP client. The flaw allows an attacker who controls a file path parameter-such as one derived from user input-to inject arbitrary FTP commands into the control connection.

Vulnerability Details

The vulnerability stems from insufficient sanitization of file path arguments passed to high-level API methods like cd(), remove(), uploadFrom(), and list(). The library’s protectWhitespace() helper function only protects against leading spaces, leaving carriage return and line feed (\r\n) sequences untouched. When the FtpContext.send() method constructs the final FTP command, it appends its own \r\n sequence to terminate the command. If an attacker-supplied path contains \r\n, it splits the intended single command, allowing the following text to be executed as a new, separate FTP command. This grants the attacker the ability to issue any command the FTP server permits, such as deleting files, uploading malicious content, or retrieving sensitive data.

Impact

With a high CVSS score of 8.6, this vulnerability poses a significant risk. The attack vector is network-based, requires no privileges or user interaction, and is of low complexity. An attacker exploiting this flaw could achieve remote command execution on the FTP server’s context, leading to data theft, data destruction, or a compromised server that could be used as a foothold for further attacks. For organizations handling sensitive data transfers via FTP, this is a critical security concern. You can find reports on related data breach incidents at breach reports.

Remediation and Mitigation

The primary and immediate action is to upgrade the basic-ftp package to version 5.2.1 or later, where this vulnerability has been fixed.

Actionable Steps:

1. Update: Run npm update basic-ftp in your project directory to install version 5.2.1.
2. Verify: Check your package.json and package-lock.json files to confirm the version is ^5.2.1.
3. Audit Input: As a general security practice, rigorously validate and sanitize all user-supplied input that is passed to file system or network APIs, even when using a trusted library. Assume all input is malicious until proven otherwise.

If an immediate update is not possible, audit all code paths where user-controlled data is passed to any basic-ftp method that accepts a path, and implement strict validation to reject strings containing CRLF (\r\n) sequences.

Security Insight

This vulnerability highlights the persistent risk of injection attacks when data and control channels are not properly separated. It is reminiscent of classic web vulnerabilities like HTTP header injection or SQL injection, now manifesting in a protocol-specific client library. The flaw’s presence in a helper function named protectWhitespace() suggests a security gap where a partial mitigation was mistaken for a complete one, a common pitfall in secure coding. For the latest on such vulnerabilities, follow security news.

Update - May 2026

Since the April 9 publication, no vendor update has been issued beyond the original patch in basic-ftp 5.2.1. CISA has not added CVE-2026-39983 to its Known Exploited Vulnerabilities catalog as of May 11; monitor KEV for inclusion given active scanning.

The EPSS score has increased from 0.0156 to 0.0184, now at the 83rd percentile, indicating heightened threat actor interest and moderate probability of exploitation in the wild. No confirmed public exploit code or mass exploitation campaigns have been reported as of this date.

On April 28, a related CRLF injection vulnerability was disclosed in ftp-srv (CVE-2026-40312), affecting the same attack vector - command injection via newline sequences in file paths. This suggests adversaries are targeting FTP libraries in Node.js environments with chained exploitation attempts.

Detection signatures: Network defenders should deploy Snort/Suricata rules matching \x0d\x0a in FTP path commands (PWD, CWD, DELE, RNFR) and monitor for consecutive RCMD requests containing carriage return bytes.

Recommended actions: Immediately upgrade to basic-ftp 5.2.1 or later. If immediate patching is not possible, implement allowlist-based path validation and block FTP commands containing raw CR/LF characters at the application layer. Audit logs for failed path operations scoring over 200 bytes.

Further Reading

• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs