CVE-2026-39983

Name of the Vulnerable Software and Affected Versions: basic-ftp versions 5.2.0

Description: basic-ftp is an FTP client for Node.js. Versions prior to 5.2.1 are susceptible to FTP command injection due to improper handling of CRLF sequences (r ) within file path parameters used in high-level path APIs like cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The protectWhitespace() function inadequately sanitizes paths, and the FtpContext.send() function directly appends r to commands, allowing attacker-controlled paths to split intended FTP commands. This can lead to arbitrary file deletion, directory manipulation, file exfiltration, potential server command execution, session hijacking, and service disruption. The vulnerability stems from the interaction between insufficient path sanitization in protectWhitespace() and the direct socket write in send(). Affected methods include cd(), remove(), list(), downloadTo(), uploadFrom(), rename(), and removeDir(). An attacker controlling file path parameters can inject arbitrary FTP protocol commands.

Recommendations: Sanitize all path inputs before passing them to basic-ftp. Reject or strip r and characters from all path inputs in the protectWhitespace() function.