Vendor
basic-ftp FTP Command Injection via CRLF Characters
2 rules 1 TTPbasic-ftp version 5.2.0 is vulnerable to FTP command injection via CRLF sequences in file path parameters passed to path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The protectWhitespace() helper only handles leading spaces and returns other paths unchanged, while FtpContext.send() writes the resulting command string directly to the control socket with ` ` appended, allowing attacker-controlled path strings to split one intended FTP command into multiple commands.
basic-ftp Denial-of-Service Vulnerability via Unbounded Memory Consumption
2 rules 1 TTPThe basic-ftp npm package version 5.2.2 and earlier is vulnerable to a denial-of-service attack. A malicious FTP server can send an extremely large or never-ending directory listing in response to the Client.list() command, causing the client to consume excessive memory until the process becomes unstable or crashes due to unbounded memory growth in the StringWriter class.
basic-ftp CRLF Injection Vulnerability Allows Arbitrary FTP Command Execution
2 rules 3 TTPsThe basic-ftp npm package (<= 5.2.1) is vulnerable to CRLF injection, enabling attackers to inject arbitrary FTP commands via crafted credentials or MKD commands, leading to file manipulation, server command execution, and potential session hijacking.