basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences (rn) in file path parameters passed to high-level path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The librarys protectWhitespace() helper only handles leading spaces and returns other paths unchanged, while FtpContext.send() writes the resulting command string directly to the control socket with rn appended. This lets attacker-controlled path strings split one intended FTP command into multiple commands. This vulnerability is fixed in 5.2.1.
Weakness
The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Basic-ftp | Patrickjuchli | * | 5.2.1 (excluding) |
| Red Hat Developer Hub 1.8 | RedHat | rhdh/rhdh-hub-rhel9:1776784286 | * |
| Red Hat Developer Hub 1.9 | RedHat | rhdh/rhdh-hub-rhel9:1777903262 | * |
Potential Mitigations
Related Attack Patterns
References
- https://github.com/patrickjuchli/basic-ftp/commit/2ecc8e2c500c5234115f06fd1dbde1aa03d70f4b
- https://github.com/patrickjuchli/basic-ftp/releases/tag/v5.2.1
- https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-chqc-8p9q-pq6q
- https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-chqc-8p9q-pq6q