CVE-2026-39983
Published: 09 April 2026
Summary
CVE-2026-39983 is a high-severity CRLF Injection (CWE-93) vulnerability in Patrickjuchli Basic-Ftp. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SA-8 (Security and Privacy Engineering Principles).
Deeper analysis
basic-ftp is an FTP client library for Node.js that prior to version 5.2.1 permitted FTP command injection through CRLF sequences embedded in file path arguments supplied to APIs including cd, remove, rename, uploadFrom, downloadTo, list, and removeDir. The protectWhitespace helper only stripped leading whitespace and left other inputs untouched, while FtpContext.send wrote the resulting string directly to the control socket and appended its own CRLF terminator, allowing a single call to be split into multiple FTP commands.
An attacker who can influence the path strings passed to these high-level methods can therefore inject arbitrary FTP commands against the remote server without authentication or user interaction, achieving impacts rated at CVSS 8.6 that include confidentiality loss, integrity compromise, and limited availability effects.
The vulnerability is addressed in release 5.2.1; the project published a corresponding security advisory and the fixing commit on GitHub that sanitizes path inputs before command construction.
EPSS rose from a low baseline to a peak of 0.0698 on 2026-04-16 shortly after disclosure before receding to the current value of 0.0204, indicating a transient increase in exploitation interest following public release of the details.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-20976
Vulnerability details
basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences (\r\n) in file path parameters passed to high-level path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The library's…
more
protectWhitespace() helper only handles leading spaces and returns other paths unchanged, while FtpContext.send() writes the resulting command string directly to the control socket with \r\n appended. This lets attacker-controlled path strings split one intended FTP command into multiple commands. This vulnerability is fixed in 5.2.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remotely exploitable (AV:N/AC:L/PR:N/UI:N) command injection in a Node.js FTP client library, enabling attackers to inject arbitrary FTP commands when untrusted input is processed as paths in public-facing applications using the library.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of untrusted path inputs to the FTP APIs, blocking CRLF sequences that enable command injection.
Mandates application of secure engineering principles such as input sanitization and command construction hygiene during library development.
Requires timely remediation of the identified flaw via patching to version 5.2.1 that sanitizes paths before command assembly.