Cyber Resilience

CVE-2026-39983

HighPublic PoCUpdated

Published: 09 April 2026

Published
09 April 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
EPSS Score 0.0194 77.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-39983 is a high-severity CRLF Injection (CWE-93) vulnerability in Patrickjuchli Basic-Ftp. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SA-8 (Security and Privacy Engineering Principles).

Deeper analysis

basic-ftp is an FTP client library for Node.js that prior to version 5.2.1 permitted FTP command injection through CRLF sequences embedded in file path arguments supplied to APIs including cd, remove, rename, uploadFrom, downloadTo, list, and removeDir. The protectWhitespace helper only stripped leading whitespace and left other inputs untouched, while FtpContext.send wrote the resulting string directly to the control socket and appended its own CRLF terminator, allowing a single call to be split into multiple FTP commands.

An attacker who can influence the path strings passed to these high-level methods can therefore inject arbitrary FTP commands against the remote server without authentication or user interaction, achieving impacts rated at CVSS 8.6 that include confidentiality loss, integrity compromise, and limited availability effects.

The vulnerability is addressed in release 5.2.1; the project published a corresponding security advisory and the fixing commit on GitHub that sanitizes path inputs before command construction.

EPSS rose from a low baseline to a peak of 0.0698 on 2026-04-16 shortly after disclosure before receding to the current value of 0.0204, indicating a transient increase in exploitation interest following public release of the details.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences (\r\n) in file path parameters passed to high-level path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The library's…

more

protectWhitespace() helper only handles leading spaces and returns other paths unchanged, while FtpContext.send() writes the resulting command string directly to the control socket with \r\n appended. This lets attacker-controlled path strings split one intended FTP command into multiple commands. This vulnerability is fixed in 5.2.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is a remotely exploitable (AV:N/AC:L/PR:N/UI:N) command injection in a Node.js FTP client library, enabling attackers to inject arbitrary FTP commands when untrusted input is processed as paths in public-facing applications using the library.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27699Same product: Patrickjuchli Basic-Ftp
CVE-2026-41324Same product: Patrickjuchli Basic-Ftp
CVE-2026-41230Shared CWE-93
CVE-2025-28357Shared CWE-93
CVE-2026-39394Shared CWE-93
CVE-2026-21428Shared CWE-93
CVE-2026-32993Shared CWE-93
CVE-2026-5140Shared CWE-93
CVE-2026-39849Shared CWE-93
CVE-2026-1714Shared CWE-93

Affected Assets

patrickjuchli
basic-ftp
≤ 5.2.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of untrusted path inputs to the FTP APIs, blocking CRLF sequences that enable command injection.

prevent

Mandates application of secure engineering principles such as input sanitization and command construction hygiene during library development.

respond

Requires timely remediation of the identified flaw via patching to version 5.2.1 that sanitizes paths before command assembly.

References