{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39983", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-08T00:01:47.628Z", "datePublished": "2026-04-09T17:05:46.228Z", "dateUpdated": "2026-04-09T19:31:42.093Z"}, "containers": {"cna": {"title": "FTP Command Injection via CRLF in basic-ftp", "problemTypes": [{"descriptions": [{"cweId": "CWE-93", "lang": "en", "description": "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-chqc-8p9q-pq6q", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-chqc-8p9q-pq6q"}, {"name": "https://github.com/patrickjuchli/basic-ftp/commit/2ecc8e2c500c5234115f06fd1dbde1aa03d70f4b", "tags": ["x_refsource_MISC"], "url": "https://github.com/patrickjuchli/basic-ftp/commit/2ecc8e2c500c5234115f06fd1dbde1aa03d70f4b"}, {"name": "https://github.com/patrickjuchli/basic-ftp/releases/tag/v5.2.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/patrickjuchli/basic-ftp/releases/tag/v5.2.1"}], "affected": [{"vendor": "patrickjuchli", "product": "basic-ftp", "versions": [{"version": "< 5.2.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T17:05:46.228Z"}, "descriptions": [{"lang": "en", "value": "basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences (\\r\\n) in file path parameters passed to high-level path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The library's protectWhitespace() helper only handles leading spaces and returns other paths unchanged, while FtpContext.send() writes the resulting command string directly to the control socket with \\r\\n appended. This lets attacker-controlled path strings split one intended FTP command into multiple commands. This vulnerability is fixed in 5.2.1."}], "source": {"advisory": "GHSA-chqc-8p9q-pq6q", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-chqc-8p9q-pq6q", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T17:32:54.638105Z", "id": "CVE-2026-39983", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T19:31:42.093Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39983", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-08T00:01:47.628Z", "datePublished": "2026-04-09T17:05:46.228Z", "dateUpdated": "2026-04-09T19:31:42.093Z"}, "containers": {"cna": {"title": "FTP Command Injection via CRLF in basic-ftp", "problemTypes": [{"descriptions": [{"cweId": "CWE-93", "lang": "en", "description": "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-chqc-8p9q-pq6q", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-chqc-8p9q-pq6q"}, {"name": "https://github.com/patrickjuchli/basic-ftp/commit/2ecc8e2c500c5234115f06fd1dbde1aa03d70f4b", "tags": ["x_refsource_MISC"], "url": "https://github.com/patrickjuchli/basic-ftp/commit/2ecc8e2c500c5234115f06fd1dbde1aa03d70f4b"}, {"name": "https://github.com/patrickjuchli/basic-ftp/releases/tag/v5.2.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/patrickjuchli/basic-ftp/releases/tag/v5.2.1"}], "affected": [{"vendor": "patrickjuchli", "product": "basic-ftp", "versions": [{"version": "< 5.2.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T17:05:46.228Z"}, "descriptions": [{"lang": "en", "value": "basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences (\\r\\n) in file path parameters passed to high-level path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The library's protectWhitespace() helper only handles leading spaces and returns other paths unchanged, while FtpContext.send() writes the resulting command string directly to the control socket with \\r\\n appended. This lets attacker-controlled path strings split one intended FTP command into multiple commands. This vulnerability is fixed in 5.2.1."}], "source": {"advisory": "GHSA-chqc-8p9q-pq6q", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39983", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-09T17:32:54.638105Z"}}}], "references": [{"url": "https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-chqc-8p9q-pq6q", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T17:33:06.392Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:patrickjuchli:basic-ftp:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "C779DF66-693E-4EB3-B33E-AC0A43741872", "versionEndExcluding": "5.2.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences (\\r\\n) in file path parameters passed to high-level path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The library's protectWhitespace() helper only handles leading spaces and returns other paths unchanged, while FtpContext.send() writes the resulting command string directly to the control socket with \\r\\n appended. This lets attacker-controlled path strings split one intended FTP command into multiple commands. This vulnerability is fixed in 5.2.1."}], "id": "CVE-2026-39983", "lastModified": "2026-04-14T20:07:51.800", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-09T18:17:02.503", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/patrickjuchli/basic-ftp/commit/2ecc8e2c500c5234115f06fd1dbde1aa03d70f4b"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/patrickjuchli/basic-ftp/releases/tag/v5.2.1"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-chqc-8p9q-pq6q"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-chqc-8p9q-pq6q"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-93"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "basic-ftp: basic-ftp: Command injection via CRLF sequences in file path parameters", "id": "2456971", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456971"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L", "status": "draft"}, "cwe": "CWE-93", "details": ["A flaw was found in basic-ftp, an FTP client for Node.js. A remote attacker can exploit this vulnerability by injecting Carriage Return Line Feed (CRLF) sequences into file path parameters used by high-level APIs. This allows the attacker to split a single intended FTP command into multiple commands. Such command injection can lead to the execution of arbitrary commands, potentially compromising the integrity and availability of data or the system."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-39983", "package_state": [{"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Affected", "package_name": "rhdh/rhdh-hub-rhel9", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-workbench-codeserver-datascience-cpu-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "redhat-user-workloads/art-images", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:ansible_portal:2", "fix_state": "Affected", "package_name": "redhat-user-workloads/ansible-plugins", "product_name": "Self-service automation portal 2"}], "public_date": "2026-04-09T17:05:46Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-39983\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-39983\nhttps://github.com/patrickjuchli/basic-ftp/commit/2ecc8e2c500c5234115f06fd1dbde1aa03d70f4b\nhttps://github.com/patrickjuchli/basic-ftp/releases/tag/v5.2.1\nhttps://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-chqc-8p9q-pq6q"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.2.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "basic-ftp", "source": "cna", "vendor": "patrickjuchli"}, "product": "basic-ftp", "vendor": "patrickjuchli"}], "analysis": {"en": {"generated_at": "2026-04-15T15:06:57.365516+00:00", "value": {"mitigation_remediation": ["Upgrade the basic\u2011ftp package to version 5.2.1 or later", "Validate or sanitize all path parameters before passing them to the library, ensuring no CRLF sequences remain", "Configure the FTP user credentials used by the application with the least privileges required to perform its intended functions"], "summary": {"action": "Immediate Patch", "impact": "Command Injection via CRLF"}, "threat_synthesis": {"affected_systems": "Patrick Juchli's basic\u2011ftp library is used by Node.js applications. Versions prior to 5.2.1 are vulnerable. Any application that imports basic\u2011ftp and uses high\u2011level path APIs (cd, remove, rename, uploadFrom, downloadTo, list, removeDir) without sanitization is affected. No information is available regarding operating system or deployment dependency.", "description_and_impact": "The basic\u2011ftp library, used by Node.js applications, mistakenly accepts \\r\\n sequences in file path parameters for high\u2011level methods such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The library's protectWhitespace helper only removes leading spaces and otherwise leaves the path unchanged. When the library forwards the constructed command to the FTP server, it appends \\r\\n and sends the string verbatim. An attacker who can supply a controlled path can insert a CRLF and split the intended FTP command into multiple commands, thereby gaining the ability to execute arbitrary FTP operations. This is a classic example of CWE\u201193, where an input that controls a protocol delimiter is not validated, leading to command injection at the protocol level.", "risk_and_exploitability": "The vulnerability has a CVSS vector indicating high severity with a base score of 8.6. The EPSS score is 7\u202f%, implying a low but non\u2011negligible probability of exploitation. The flaw is not listed in the CISA KEV catalog. Attackers who can supply an attacker\u2011controlled file path and have valid FTP credentials can use CRLF sequences to split a single intended command into multiple commands, effectively gaining the ability to execute arbitrary FTP operations such as uploading, downloading, deleting, or renaming files. This can compromise confidentiality, integrity, and availability of the files on the target FTP server. The attack requires only application\u2011level control over the path parameter; no additional network access beyond normal FTP usage is required."}}}}, "created": "2026-04-10T08:52:49.917585+00:00", "updated": "2026-04-15T16:00:07.802948+00:00", "vendors": ["patrickjuchli", "patrickjuchli$PRODUCT$basic-ftp"]}