CVE-2026-39983 Overview
CVE-2026-39983 is a command injection vulnerability in basic-ftp, a popular FTP client library for Node.js. Prior to version 5.2.1, the library fails to properly sanitize CRLF sequences (\r\n) in file path parameters passed to high-level path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). This allows attackers to inject arbitrary FTP commands by crafting malicious path strings.
The vulnerability stems from the library's protectWhitespace() helper function, which only handles leading spaces and returns other paths unchanged. Since FtpContext.send() writes the resulting command string directly to the control socket with \r\n appended, attacker-controlled path strings can effectively split one intended FTP command into multiple commands, enabling unauthorized operations on the FTP server.
Critical Impact
Attackers can inject arbitrary FTP commands through malicious file paths, potentially enabling unauthorized file operations, data exfiltration, or server compromise on connected FTP servers.
Affected Products
- basic-ftp for Node.js versions prior to 5.2.1
Discovery Timeline
- April 9, 2026 - CVE CVE-2026-39983 published to NVD
- April 9, 2026 - Last updated in NVD database
Technical Details for CVE-2026-39983
Vulnerability Analysis
This vulnerability is classified as CWE-93 (Improper Neutralization of CRLF Sequences). The fundamental issue lies in how the basic-ftp library processes user-supplied file paths before sending them as FTP commands.
FTP protocols use CRLF sequences (\r\n) as command delimiters. When an application passes a path containing these characters to any of the vulnerable API methods, the library's insufficient sanitization allows the attacker's payload to be interpreted as additional FTP commands by the server.
The protectWhitespace() function was designed to handle edge cases with whitespace in paths but did not account for control characters that could be used to terminate commands prematurely and inject new ones. This oversight creates a classic injection pattern where trusted and untrusted data are concatenated without proper boundary enforcement.
Root Cause
The root cause is the inadequate input validation in the protectWhitespace() helper function. This function only checks for and handles leading spaces in file paths, leaving CRLF sequences (\r\n) and null bytes (\0) unchecked. When these unvalidated paths are passed to FtpContext.send(), which directly writes to the FTP control socket with an appended \r\n, the attacker-controlled path content can break out of the intended command context.
Attack Vector
An attacker can exploit this vulnerability by providing a malicious file path to any of the affected API methods. For example, a path like "file.txt\r\nDELE important.txt\r\n" passed to the cd() function would result in both the original CWD command and an unauthorized DELETE command being sent to the FTP server. This attack requires network access and the ability to influence file path parameters used by the vulnerable application.
The following patch demonstrates how the fix validates paths to reject control character injection:
* a given path to fix that issue for most cases.
*/
async protectWhitespace(path: string): Promise<string> {
+ // Reject CRLF injection attempts
+ if (/[\r\n\0]/.test(path)) {
+ throw new Error("Invalid path: Contains control characters");
+ }
if (!path.startsWith(" ")) {
return path
}
Source: GitHub Commit Update
Detection Methods for CVE-2026-39983
Indicators of Compromise
- Unusual FTP commands in server logs that appear concatenated or contain unexpected operations
- FTP command sequences containing CRLF characters (\r\n) or null bytes within path parameters
- Unexpected file deletions, transfers, or directory changes on FTP servers
- Application error logs showing failed FTP operations following suspicious path inputs
Detection Strategies
- Implement network traffic monitoring to detect FTP command injection patterns
- Review application logs for file path inputs containing control characters
- Audit dependencies using npm audit or similar tools to identify vulnerable versions of basic-ftp
- Deploy runtime application self-protection (RASP) solutions that can detect command injection attempts
Monitoring Recommendations
- Enable detailed FTP server logging and monitor for anomalous command sequences
- Set up alerts for FTP operations occurring outside normal business processes
- Monitor Node.js application logs for errors related to invalid path characters
- Implement file integrity monitoring on critical FTP server directories
How to Mitigate CVE-2026-39983
Immediate Actions Required
- Upgrade basic-ftp to version 5.2.1 or later immediately
- Audit applications using basic-ftp to identify exposure points where user-controlled input reaches file path APIs
- Implement input validation to reject file paths containing CRLF sequences before passing them to basic-ftp
- Review FTP server logs for signs of exploitation
Patch Information
The vulnerability is fixed in basic-ftp version 5.2.1. The fix adds validation in the protectWhitespace() function to reject paths containing carriage return (\r), line feed (\n), or null byte (\0) characters, throwing an error if these control characters are detected. The security patch is available in commit 2ecc8e2c500c5234115f06fd1dbde1aa03d70f4b.
For more information, see the GitHub Security Advisory GHSA-chqc-8p9q-pq6q and the GitHub Release v5.2.1.
Workarounds
- Implement application-level input validation to strip or reject paths containing \r, \n, or \0 characters
- Use allowlisting for permitted characters in file path inputs
- Deploy web application firewalls (WAF) to filter requests containing control characters in path parameters
- Isolate FTP operations to dedicated service accounts with minimal privileges
# Configuration example
# Update basic-ftp to the patched version
npm update basic-ftp@5.2.1
# Or explicitly install the fixed version
npm install basic-ftp@5.2.1 --save
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
