basic-ftp FTP Command Injection via CRLF Characters
basic-ftp version 5.2.0 is vulnerable to FTP command injection via CRLF sequences in file path parameters passed to path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The protectWhitespace() helper only handles leading spaces and returns other paths unchanged, while FtpContext.send() writes the resulting command string directly to the control socket with ` ` appended, allowing attacker-controlled path strings to split one intended FTP command into multiple commands.
The basic-ftp npm package, version 5.2.0, contains a command injection vulnerability stemming from improper sanitization of file path parameters. Specifically, the protectWhitespace() function fails to neutralize CRLF sequences (\r\n), allowing attackers to inject arbitrary FTP commands. The vulnerability exists because the send() function in FtpContext.js directly writes commands to the control socket with \r\n appended. This allows an attacker to craft malicious path strings that, when processed by the affected methods (cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir()), result in the execution of unintended FTP commands. This vulnerability impacts applications that use basic-ftp to interact with FTP servers and accept user-controlled input for file paths. The vulnerability was confirmed in version 5.2.0, and as of 2026-04-04, no fix is available.
Attack Chain
- An attacker crafts a malicious file path containing CRLF sequences (
\r\n) and an injected FTP command. - The attacker provides the malicious path as input to one of the vulnerable
basic-ftpmethods, such ascd(),remove(),rename(),uploadFrom(),downloadTo(),list(), orremoveDir(). - The
protectWhitespace()function inClient.jsis called, but it fails to sanitize the CRLF sequences in the path. - The unsanitized path is passed to the
send()function inFtpContext.js, which appends\r\nto the command string and writes it to the TCP socket. - The FTP server interprets the CRLF sequences as command delimiters, splitting the intended command into multiple commands.
- The injected FTP command is executed by the server. This can include deleting files (
DELE), creating/removing directories (MKD,RMD), or triggering downloads (RETR). - The attacker potentially hijacks the session by injecting
USERandPASScommands. - The attacker gains unauthorized access to files, directories, or potentially executes arbitrary commands on the FTP server, leading to data exfiltration or service disruption.
Impact
Successful exploitation of this vulnerability can lead to severe consequences, including arbitrary file deletion, directory manipulation, file exfiltration, server command execution (if supported by the FTP server), session hijacking, and service disruption. The vulnerability poses a significant risk to applications that rely on basic-ftp and accept user-supplied file paths. If an attacker controls the FTP paths, they can inject arbitrary commands, compromising the confidentiality, integrity, and availability of the FTP server and its data.
Recommendation
- Apply the immediate workaround by sanitizing all path inputs before passing them to
basic-ftp, rejecting paths containing\ror\ncharacters. See the provided sanitization example in the mitigation section of this brief. - Monitor network connections for FTP traffic containing suspicious commands within file paths, using the provided Sigma rule targeting network connections with CRLF sequences.
- Upgrade to a patched version of
basic-ftpas soon as one becomes available that properly sanitizes or rejects CRLF sequences in file paths, addressing the root cause detailed in the overview of this brief.
Detection coverage 2
Detect FTP Command Injection via CRLF Sequences
highDetects FTP commands containing CRLF sequences, indicating potential command injection.
Detect basic-ftp CRLF Injection Attempt in Web Logs
mediumDetects attempts to exploit basic-ftp CRLF injection by looking for CRLF sequences in URI queries.
Detection queries are available on the platform. Get full rules →