Skip to content
Threat Feed

Vendor

Basic-Ftp

3 briefs RSS
high advisory

basic-ftp FTP Command Injection via CRLF Characters

basic-ftp version 5.2.0 is vulnerable to FTP command injection via CRLF sequences in file path parameters passed to path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The protectWhitespace() helper only handles leading spaces and returns other paths unchanged, while FtpContext.send() writes the resulting command string directly to the control socket with ` ` appended, allowing attacker-controlled path strings to split one intended FTP command into multiple commands.

basic-ftp ftp command-injection crlf
2r 1t
high advisory

basic-ftp Denial-of-Service Vulnerability via Unbounded Memory Consumption

The basic-ftp npm package version 5.2.2 and earlier is vulnerable to a denial-of-service attack. A malicious FTP server can send an extremely large or never-ending directory listing in response to the Client.list() command, causing the client to consume excessive memory until the process becomes unstable or crashes due to unbounded memory growth in the StringWriter class.

basic-ftp denial-of-service ftp memory-exhaustion npm
2r 1t
high advisory

basic-ftp CRLF Injection Vulnerability Allows Arbitrary FTP Command Execution

The basic-ftp npm package (<= 5.2.1) is vulnerable to CRLF injection, enabling attackers to inject arbitrary FTP commands via crafted credentials or MKD commands, leading to file manipulation, server command execution, and potential session hijacking.

basic-ftp crlf-injection ftp command-injection nodejs
2r 3t