CVE-2026-39983

CVE-2026-39983 is a command injection vulnerability in the basic-ftp FTP client library for Node.js, affecting versions prior to 5.2.1. The issue arises because the library's protectWhitespace() helper only sanitizes leading spaces in file path parameters passed to high-level APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(), leaving CRLF sequences (\r\n) unhandled. The FtpContext.send() function then appends \r\n to the command string and sends it directly to the FTP control socket, allowing attacker-controlled paths to split a single intended FTP command into multiple arbitrary commands. The vulnerability is classified under CWE-93 (Improper Neutralization of CRLF Sequences) with a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L).

An attacker can exploit this vulnerability remotely over the network with low complexity, requiring no privileges or user interaction. Exploitation occurs when an application using basic-ftp processes untrusted input as file paths in the affected APIs, enabling the injection of additional FTP commands. Successful attacks can result in limited confidentiality impacts (such as reading certain files), high integrity impacts (like unauthorized file modifications or deletions), and limited availability impacts, depending on the injected commands and FTP server permissions.

Mitigation is available in basic-ftp version 5.2.1, which addresses the flaw by properly handling CRLF sequences in path parameters. Security advisories and the patch details are documented in the GitHub security advisory (GHSA-chqc-8p9q-pq6q), the release notes for v5.2.1, and the fixing commit (2ecc8e2c500c5234115f06fd1dbde1aa03d70f4b). Developers should upgrade to the patched version immediately.