VDB
CVE-2026-39983
CVE-2026-39983
PUBLISHED
CVSS 8.600000381469727 HIGH
basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences (\r\n) in file path parameters passed to high-level path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The library's protectWhitespace() helper only handles leading spaces and returns other paths unchanged, while FtpContext.send() writes the resulting command string directly to the control socket with \r\n appended. This lets attacker-controlled path strings split one intended FTP command into multiple commands. This vulnerability is fixed in 5.2.1.
EPSS 2.04% · 84.2th percentile
Risk Scores
CVSS 3.1
8.600000381469727
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
EPSS Score
2.04%
84.2th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| npm | basic-ftp | 5.2.0, 5.2.0 |
| patrickjuchli | basic-ftp | * |
Exploit Intelligence
- Advisory for basic-ftp ⌯⌲ 20 mill weekly downloads (github-poc-repo)
- Advisory for basic-ftp ⌯⌲ 20 mill weekly downloads (github-poc-repo)
- Advisory for basic-ftp ⌯⌲ 20 mill weekly downloads (github-poc-repo)
- Advisory for basic-ftp ⌯⌲ 20 mill weekly downloads (github-poc-repo)
- Advisory for basic-ftp ⌯⌲ 20 mill weekly downloads (github-poc-repo)
- Advisory for basic-ftp ⌯⌲ 20 mill weekly downloads (github-poc-repo)
- Advisory for basic-ftp ⌯⌲ 20 mill weekly downloads (github-poc-repo)
- Advisory for basic-ftp ⌯⌲ 20 mill weekly downloads (github-poc)
- Advisory for basic-ftp ⌯⌲ 20 mill weekly downloads (github-poc)
- Advisory for basic-ftp ⌯⌲ 20 mill weekly downloads (github-poc)
…and 8 more exploits
Timeline
- Apr 8, 2026 CVE Published
- Apr 9, 2026 CVE Updated
- Apr 9, 2026 PoC Published
- Apr 10, 2026 Security Advisory
- Apr 11, 2026 EPSS Score
- May 18, 2026 EPSS Score
- May 19, 2026 EPSS Score
- May 20, 2026 EPSS Score
- May 21, 2026 EPSS Score
- May 22, 2026 EPSS Score
- May 23, 2026 EPSS Score
- May 24, 2026 EPSS Score
References
- https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-chqc-8p9q-pq6q url
- https://github.com/patrickjuchli/basic-ftp/commit/2ecc8e2c500c5234115f06fd1dbde1aa03d70f4b url
- https://github.com/patrickjuchli/basic-ftp/releases/tag/v5.2.1 url
- https://nvd.nist.gov/vuln/detail/CVE-2026-39983 advisory
- https://github.com/patrickjuchli/basic-ftp package
- https://www.ibm.com/support/pages/node/7274185 advisory
- https://www.ibm.com/support/pages/node/7274154 advisory
- https://www.ibm.com/support/pages/node/7274180 advisory
- https://www.ibm.com/support/pages/node/7274183 advisory
- https://www.ibm.com/support/pages/node/7273957 advisory
- https://www.ibm.com/support/pages/node/7274184 advisory
- https://www.ibm.com/support/pages/node/7274314 advisory
- https://www.ibm.com/support/pages/node/7274182 advisory
- https://www.ibm.com/support/pages/node/7274181 advisory
- https://www.ibm.com/support/pages/node/7273803 advisory
- https://www.ibm.com/support/pages/node/7272901 advisory