PatchSiren cyber security CVE debrief
CVE-2026-39983 patrickjuchli CVE debrief
The basic-ftp library for Node.js, prior to version 5.2.1, is vulnerable to FTP command injection attacks. This is due to the library's protectWhitespace() helper not properly handling CRLF sequences in file path parameters, which can lead to the splitting of one intended FTP command into multiple commands. An attacker can exploit this vulnerability by providing specially crafted path strings, potentially leading to unauthorized actions on the FTP server. The vulnerability has been patched in version 5.2.1 of the basic-ftp library. Users of affected versions should update to 5.2.1 or later to mitigate this risk.
- Vendor
- patrickjuchli
- Product
- basic-ftp
- CVSS
- HIGH 8.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-09
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-04-09
- Advisory updated
- 2026-06-30
Who should care
Developers and administrators using the basic-ftp library in Node.js applications should be aware of this vulnerability. Given the high severity of the vulnerability, with a CVSS score of 8.6, and the potential for attackers to execute arbitrary commands on the FTP server, immediate attention is required. This includes reviewing current usage of the library, checking for exposure, and applying the patch to prevent potential exploitation.
Technical summary
The basic-ftp library for Node.js is susceptible to FTP command injection attacks due to improper handling of CRLF sequences in file path parameters. The protectWhitespace() helper function only removes leading spaces and leaves other paths unchanged. When these paths are passed to high-level path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(), and then sent over the control socket by FtpContext.send() with appended CRLF sequences, an attacker can inject additional FTP commands. This vulnerability has been addressed in version 5.2.1 of the library.
Defensive priority
High priority should be given to identifying and updating affected instances of the basic-ftp library. Given the potential for attackers to leverage this vulnerability for unauthorized actions, defenders should rapidly assess their inventory of Node.js applications that utilize basic-ftp, apply patches or mitigations, and monitor for suspicious activity.
Recommended defensive actions
- Update basic-ftp to version 5.2.1 or later.
- Review and inventory Node.js applications using basic-ftp.
- Monitor FTP server logs for suspicious activity.
- Implement additional security measures for FTP services.
- Consider compensating controls for unpatched systems.
Evidence notes
The CVE-2026-39983 vulnerability details were obtained from the NVD and CVE.org. The vulnerability is caused by the basic-ftp library's protectWhitespace() helper not properly handling CRLF sequences in file paths, allowing for FTP command injection. The vulnerability has a CVSS score of 8.6 and is classified as CWE-93. Multiple references, including GitHub advisories and Red Hat errata, confirm the vulnerability and provide mitigation steps.
Official resources
-
CVE-2026-39983 CVE record
CVE.org
-
CVE-2026-39983 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Product, Release Notes
-
Mitigation or vendor reference
[email protected] - Exploit, Mitigation, Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.