{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/basic-ftp/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["basic-ftp"],"_cs_severities":["high"],"_cs_tags":["ftp","command-injection","crlf"],"_cs_type":"advisory","_cs_vendors":["basic-ftp"],"content_html":"\u003cp\u003eThe \u003ccode\u003ebasic-ftp\u003c/code\u003e npm package, version 5.2.0, contains a command injection vulnerability stemming from improper sanitization of file path parameters. Specifically, the \u003ccode\u003eprotectWhitespace()\u003c/code\u003e function fails to neutralize CRLF sequences (\u003ccode\u003e\\r\\n\u003c/code\u003e), allowing attackers to inject arbitrary FTP commands. The vulnerability exists because the \u003ccode\u003esend()\u003c/code\u003e function in \u003ccode\u003eFtpContext.js\u003c/code\u003e directly writes commands to the control socket with \u003ccode\u003e\\r\\n\u003c/code\u003e appended. This allows an attacker to craft malicious path strings that, when processed by the affected methods (cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir()), result in the execution of unintended FTP commands. This vulnerability impacts applications that use \u003ccode\u003ebasic-ftp\u003c/code\u003e to interact with FTP servers and accept user-controlled input for file paths. The vulnerability was confirmed in version 5.2.0, and as of 2026-04-04, no fix is available.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious file path containing CRLF sequences (\u003ccode\u003e\\r\\n\u003c/code\u003e) and an injected FTP command.\u003c/li\u003e\n\u003cli\u003eThe attacker provides the malicious path as input to one of the vulnerable \u003ccode\u003ebasic-ftp\u003c/code\u003e methods, such as \u003ccode\u003ecd()\u003c/code\u003e, \u003ccode\u003eremove()\u003c/code\u003e, \u003ccode\u003erename()\u003c/code\u003e, \u003ccode\u003euploadFrom()\u003c/code\u003e, \u003ccode\u003edownloadTo()\u003c/code\u003e, \u003ccode\u003elist()\u003c/code\u003e, or \u003ccode\u003eremoveDir()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eprotectWhitespace()\u003c/code\u003e function in \u003ccode\u003eClient.js\u003c/code\u003e is called, but it fails to sanitize the CRLF sequences in the path.\u003c/li\u003e\n\u003cli\u003eThe unsanitized path is passed to the \u003ccode\u003esend()\u003c/code\u003e function in \u003ccode\u003eFtpContext.js\u003c/code\u003e, which appends \u003ccode\u003e\\r\\n\u003c/code\u003e to the command string and writes it to the TCP socket.\u003c/li\u003e\n\u003cli\u003eThe FTP server interprets the CRLF sequences as command delimiters, splitting the intended command into multiple commands.\u003c/li\u003e\n\u003cli\u003eThe injected FTP command is executed by the server. This can include deleting files (\u003ccode\u003eDELE\u003c/code\u003e), creating/removing directories (\u003ccode\u003eMKD\u003c/code\u003e, \u003ccode\u003eRMD\u003c/code\u003e), or triggering downloads (\u003ccode\u003eRETR\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker potentially hijacks the session by injecting \u003ccode\u003eUSER\u003c/code\u003e and \u003ccode\u003ePASS\u003c/code\u003e commands.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to files, directories, or potentially executes arbitrary commands on the FTP server, leading to data exfiltration or service disruption.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to severe consequences, including arbitrary file deletion, directory manipulation, file exfiltration, server command execution (if supported by the FTP server), session hijacking, and service disruption. The vulnerability poses a significant risk to applications that rely on \u003ccode\u003ebasic-ftp\u003c/code\u003e and accept user-supplied file paths. If an attacker controls the FTP paths, they can inject arbitrary commands, compromising the confidentiality, integrity, and availability of the FTP server and its data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the immediate workaround by sanitizing all path inputs before passing them to \u003ccode\u003ebasic-ftp\u003c/code\u003e, rejecting paths containing \u003ccode\u003e\\r\u003c/code\u003e or \u003ccode\u003e\\n\u003c/code\u003e characters. See the provided sanitization example in the mitigation section of this brief.\u003c/li\u003e\n\u003cli\u003eMonitor network connections for FTP traffic containing suspicious commands within file paths, using the provided Sigma rule targeting network connections with CRLF sequences.\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of \u003ccode\u003ebasic-ftp\u003c/code\u003e as soon as one becomes available that properly sanitizes or rejects CRLF sequences in file paths, addressing the root cause detailed in the overview of this brief.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-09-basic-ftp-crlf/","summary":"basic-ftp version 5.2.0 is vulnerable to FTP command injection via CRLF sequences in file path parameters passed to path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The protectWhitespace() helper only handles leading spaces and returns other paths unchanged, while FtpContext.send() writes the resulting command string directly to the control socket with `\r\n` appended, allowing attacker-controlled path strings to split one intended FTP command into multiple commands.","title":"basic-ftp FTP Command Injection via CRLF Characters","url":"https://feed.craftedsignal.io/briefs/2024-01-09-basic-ftp-crlf/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["basic-ftp"],"_cs_severities":["high"],"_cs_tags":["denial-of-service","ftp","memory-exhaustion","npm"],"_cs_type":"advisory","_cs_vendors":["basic-ftp"],"content_html":"\u003cp\u003eThe \u003ccode\u003ebasic-ftp\u003c/code\u003e npm package, specifically version 5.2.2 and earlier, is susceptible to a denial-of-service (DoS) vulnerability. This vulnerability arises when the package is used to list directories from a remote FTP server. A malicious or compromised FTP server can exploit this by sending an excessively large or unending directory listing in response to the \u003ccode\u003eClient.list()\u003c/code\u003e command. The \u003ccode\u003ebasic-ftp\u003c/code\u003e client, upon receiving this malicious response, attempts to buffer the entire listing in memory using the \u003ccode\u003eStringWriter\u003c/code\u003e class. The \u003ccode\u003eStringWriter\u003c/code\u003e class lacks any size limitations, resulting in unbounded memory growth as it concatenates incoming data chunks. This sustained memory allocation eventually leads to process instability and, ultimately, a crash of the application or service utilizing the vulnerable \u003ccode\u003ebasic-ftp\u003c/code\u003e package. The vulnerability stems from the package's default directory listing flow within \u003ccode\u003edist/Client.js\u003c/code\u003e, where the full listing response is downloaded into a \u003ccode\u003eStringWriter\u003c/code\u003e before parsing, as well as the unlimited buffering capability of \u003ccode\u003edist/StringWriter.js\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn application using \u003ccode\u003ebasic-ftp\u003c/code\u003e connects to an attacker-controlled or compromised FTP server.\u003c/li\u003e\n\u003cli\u003eThe application initiates a directory listing request by calling the \u003ccode\u003eclient.list()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe malicious FTP server responds with an extremely large or never-ending directory listing.\u003c/li\u003e\n\u003cli\u003eWithin the \u003ccode\u003ebasic-ftp\u003c/code\u003e library, the \u003ccode\u003e_requestListWithCommand\u003c/code\u003e function in \u003ccode\u003edist/Client.js\u003c/code\u003e is invoked.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003edownloadTo\u003c/code\u003e function in \u003ccode\u003etransfer_1.js\u003c/code\u003e starts downloading the listing response to a \u003ccode\u003eStringWriter\u003c/code\u003e instance.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eStringWriter\u003c/code\u003e class, in \u003ccode\u003edist/StringWriter.js\u003c/code\u003e, receives chunks of data from the listing response.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e_write\u003c/code\u003e method of \u003ccode\u003eStringWriter\u003c/code\u003e concatenates each chunk to an in-memory \u003ccode\u003eBuffer\u003c/code\u003e without any size checks, leading to unbounded memory consumption via \u003ccode\u003ethis.buf = Buffer.concat([this.buf, chunk])\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe excessive memory allocation causes the application's process to become unstable and eventually crash due to memory exhaustion.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows a malicious actor to perform a denial-of-service attack against applications and services that rely on the \u003ccode\u003ebasic-ftp\u003c/code\u003e package to interact with FTP servers. The attack is triggered when the application connects to a malicious FTP server and attempts to list a directory. Successful exploitation leads to excessive memory consumption, resulting in process instability and potential termination of the application. This can disrupt services, cause data unavailability, and negatively impact overall system reliability. The impact is primarily targeted at services using the vulnerable \u003ccode\u003ebasic-ftp@5.2.2\u003c/code\u003e against untrusted FTP endpoints.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement application-level checks to monitor memory usage and restart processes exceeding acceptable thresholds (reference: Impact section).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect basic-ftp StringWriter Memory Exhaustion\u003c/code\u003e to identify processes using \u003ccode\u003ebasic-ftp\u003c/code\u003e that are allocating large amounts of memory (reference: rules section).\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of \u003ccode\u003ebasic-ftp\u003c/code\u003e that includes a fix for the unbounded memory consumption issue.\u003c/li\u003e\n\u003cli\u003eImplement a maximum listing size within your application, aborting transfers that exceed the configured limit, as suggested in the advisory's remediation section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-basic-ftp-dos/","summary":"The basic-ftp npm package version 5.2.2 and earlier is vulnerable to a denial-of-service attack. A malicious FTP server can send an extremely large or never-ending directory listing in response to the Client.list() command, causing the client to consume excessive memory until the process becomes unstable or crashes due to unbounded memory growth in the StringWriter class.","title":"basic-ftp Denial-of-Service Vulnerability via Unbounded Memory Consumption","url":"https://feed.craftedsignal.io/briefs/2024-01-basic-ftp-dos/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["basic-ftp"],"_cs_severities":["high"],"_cs_tags":["crlf-injection","ftp","command-injection","nodejs"],"_cs_type":"advisory","_cs_vendors":["basic-ftp"],"content_html":"\u003cp\u003eThe basic-ftp npm package, versions 5.2.1 and earlier, contains an incomplete CRLF injection protection mechanism. This vulnerability allows attackers to inject arbitrary FTP commands into the control connection by bypassing the existing \u003ccode\u003eprotectWhitespace()\u003c/code\u003e control. There are two primary attack vectors: the first involves injecting commands via the \u003ccode\u003elogin()\u003c/code\u003e method by manipulating user-supplied credentials, and the second exploits a TOCTOU (Time-of-Check Time-of-Use) race condition in the \u003ccode\u003e_openDir()\u003c/code\u003e method. The vulnerability stems from the direct concatenation of user inputs into FTP commands without proper validation for CRLF characters (\\r\\n). Successful exploitation can lead to unauthorized file deletion, modification, and execution of arbitrary server commands. Applications that rely on basic-ftp and accept user-provided FTP credentials or paths are at high risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a target application using basic-ftp (\u0026lt;= 5.2.1) that accepts user-controlled FTP credentials or paths.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious username or password containing CRLF sequences followed by FTP commands, such as \u003ccode\u003eanonymous\\r\\nDELE important.txt\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe target application passes the crafted credentials to the \u003ccode\u003elogin()\u003c/code\u003e method in basic-ftp.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003elogin()\u003c/code\u003e method concatenates the malicious username and password into USER and PASS commands without validation.\u003c/li\u003e\n\u003cli\u003ebasic-ftp sends the crafted FTP commands to the FTP server. The injected command (e.g., \u003ccode\u003eDELE important.txt\u003c/code\u003e) executes before the PASS command.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker crafts a malicious directory path containing CRLF sequences followed by FTP commands, such as \u003ccode\u003etest\\r\\nDELE important.txt/subdir\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe target application passes the crafted path to the \u003ccode\u003eensureDir()\u003c/code\u003e method, which calls \u003ccode\u003e_openDir()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e_openDir()\u003c/code\u003e method sends an MKD command with the crafted path without validation. The injected command (e.g., \u003ccode\u003eDELE important.txt\u003c/code\u003e) executes.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this CRLF injection vulnerability can lead to several severe consequences. Attackers can delete or manipulate files on the FTP server by injecting \u003ccode\u003eDELE\u003c/code\u003e, \u003ccode\u003eRNFR\u003c/code\u003e, and \u003ccode\u003eRNTO\u003c/code\u003e commands. They can also create or remove directories using \u003ccode\u003eMKD\u003c/code\u003e and \u003ccode\u003eRMD\u003c/code\u003e. Furthermore, attackers can execute arbitrary server commands by injecting \u003ccode\u003eSITE\u003c/code\u003e commands, potentially changing file permissions (e.g., \u003ccode\u003eSITE CHMOD\u003c/code\u003e). In the case of credential injection, the attacker might be able to perform actions with default server permissions before proper authentication occurs. Applications that handle user-supplied FTP credentials, like web-based file managers, are prime targets.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the recommended fix from the advisory by upgrading basic-ftp to a version greater than 5.2.1 or implementing CRLF validation as described in the advisory to prevent command injection in the \u003ccode\u003elogin()\u003c/code\u003e and \u003ccode\u003e_openDir()\u003c/code\u003e methods.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u0026quot;Detect basic-ftp CRLF Injection in FTP Commands\u0026quot; to monitor for FTP commands containing CRLF characters in network traffic.\u003c/li\u003e\n\u003cli\u003eEnable network connection logging to capture FTP traffic for analysis and detection, as required by the Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-02-basic-ftp-crlf-injection/","summary":"The basic-ftp npm package (\u003c= 5.2.1) is vulnerable to CRLF injection, enabling attackers to inject arbitrary FTP commands via crafted credentials or MKD commands, leading to file manipulation, server command execution, and potential session hijacking.","title":"basic-ftp CRLF Injection Vulnerability Allows Arbitrary FTP Command Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-02-basic-ftp-crlf-injection/"}],"language":"en","title":"CraftedSignal Threat Feed - Basic-Ftp","version":"https://jsonfeed.org/version/1.1"}