2456971 – (CVE-2026-39983) CVE-2026-39983 basic-ftp: basic-ftp: Command injection via CRLF sequences in file path parameters

Bug 2456971 (CVE-2026-39983) - CVE-2026-39983 basic-ftp: basic-ftp: Command injection via CRLF sequences in file path parameters

Summary: CVE-2026-39983 basic-ftp: basic-ftp: Command injection via CRLF sequences in ...

Keywords:
Status:	NEW
Alias:	CVE-2026-39983
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-09 18:02 UTC by OSIDB Bzimport
Modified:	2026-04-10 20:28 UTC (History)
CC List:	22 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-09 18:02:48 UTC

basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences (\r\n) in file path parameters passed to high-level path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The library's protectWhitespace() helper only handles leading spaces and returns other paths unchanged, while FtpContext.send() writes the resulting command string directly to the control socket with \r\n appended. This lets attacker-controlled path strings split one intended FTP command into multiple commands. This vulnerability is fixed in 5.2.1.

Note You need to log in before you can comment on or make changes to this bug.

abarbaro
adudiak
alizardo
caswilli
dschmidt
erezende
jchui
jhe
jkoehler
jlanda
kaycoth
kshier
ktsao
lphiri
nboldt
oaljalju
psrna
simaishi
smcdonal
stcannon
teagle
yguenane