PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-39983 patrickjuchli CVE debrief

The basic-ftp library for Node.js, prior to version 5.2.1, is vulnerable to FTP command injection attacks. This is due to the library's protectWhitespace() helper not properly handling CRLF sequences in file path parameters, which can lead to the splitting of one intended FTP command into multiple commands. An attacker can exploit this vulnerability by providing specially crafted path strings, potentially leading to unauthorized actions on the FTP server. The vulnerability has been patched in version 5.2.1 of the basic-ftp library. Users of affected versions should update to 5.2.1 or later to mitigate this risk.

Vendor
patrickjuchli
Product
basic-ftp
CVSS
HIGH 8.6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-09
Original CVE updated
2026-06-30
Advisory published
2026-04-09
Advisory updated
2026-06-30

Who should care

Developers and administrators using the basic-ftp library in Node.js applications should be aware of this vulnerability. Given the high severity of the vulnerability, with a CVSS score of 8.6, and the potential for attackers to execute arbitrary commands on the FTP server, immediate attention is required. This includes reviewing current usage of the library, checking for exposure, and applying the patch to prevent potential exploitation.

Technical summary

The basic-ftp library for Node.js is susceptible to FTP command injection attacks due to improper handling of CRLF sequences in file path parameters. The protectWhitespace() helper function only removes leading spaces and leaves other paths unchanged. When these paths are passed to high-level path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(), and then sent over the control socket by FtpContext.send() with appended CRLF sequences, an attacker can inject additional FTP commands. This vulnerability has been addressed in version 5.2.1 of the library.

Defensive priority

High priority should be given to identifying and updating affected instances of the basic-ftp library. Given the potential for attackers to leverage this vulnerability for unauthorized actions, defenders should rapidly assess their inventory of Node.js applications that utilize basic-ftp, apply patches or mitigations, and monitor for suspicious activity.

Recommended defensive actions

  • Update basic-ftp to version 5.2.1 or later.
  • Review and inventory Node.js applications using basic-ftp.
  • Monitor FTP server logs for suspicious activity.
  • Implement additional security measures for FTP services.
  • Consider compensating controls for unpatched systems.

Evidence notes

The CVE-2026-39983 vulnerability details were obtained from the NVD and CVE.org. The vulnerability is caused by the basic-ftp library's protectWhitespace() helper not properly handling CRLF sequences in file paths, allowing for FTP command injection. The vulnerability has a CVSS score of 8.6 and is classified as CWE-93. Multiple references, including GitHub advisories and Red Hat errata, confirm the vulnerability and provide mitigation steps.

Official resources

This article is AI-assisted and based on the supplied source corpus.