GHSA-6V7Q-WJVX-W8WG: Arbitrary FTP Command Execution via CRLF Injection in basic-ftp

The basic-ftp library is a widely used FTP client for Node.js, providing asynchronous functions to interact with FTP servers. Prior to version 5.2.2, the package exhibited incomplete sanitization of user-supplied inputs, resulting in an Improper Neutralization of CRLF Sequences vulnerability (CWE-93). This flaw allows an attacker to inject control characters into the network stream.

The attack surface includes several input vectors, specifically the connection credentials (username and password) and directory path arguments supplied to commands like MKD (Make Directory). The library attempted to mitigate injection attacks using a localized helper function, but failed to apply this validation uniformly across all protocol interactions.

Successful exploitation results in arbitrary FTP command execution. By injecting Carriage Return (\r) and Line Feed (\n) sequences into these vulnerable inputs, an attacker can manipulate the FTP protocol stream. This forces the server to process the injected payload as subsequent, distinct commands, overriding the intended behavior of the client application.

The root cause of this vulnerability stems from a decentralized and incomplete validation strategy for network-bound data. Security controls were implemented at the perimeter of the application logic rather than at the network socket sink. Specifically, basic-ftp relied on a helper method named protectWhitespace(path) to identify and reject control characters.

This perimeter-based defense failed to cover critical command execution paths. The USER and PASS commands, which authenticate the client to the server, bypassed the protectWhitespace check entirely. If the application allowed user-controlled input for these fields, an attacker could embed newline characters to terminate the PASS sequence and inject arbitrary operations.

Furthermore, the validation logic exhibited inconsistencies regarding directory management. In workflows utilizing the ensureDir functionality, the library issued the MKD command to the server before applying validation in the subsequent cd (Change Directory) call. This execution order created a vulnerability window where malicious directory names were transmitted to the server without sanitization.

By failing to validate all outbound data at the point of socket transmission, the library permitted downstream components to transmit protocol control characters. The FTP protocol utilizes CRLF as the standard command delimiter, meaning any injected newlines are inherently interpreted as command boundaries by the receiving server.

Prior to version 5.2.2, the protectWhitespace method in src/Client.ts contained the primary defense against CRLF injection. This method was invoked inconsistently across the codebase, leaving several command invocation routes unprotected.

async protectWhitespace(path: string): Promise<string> {
    // Reject CRLF injection attempts
    if (/[\r\n\0]/.test(path)) {
        throw new Error("Invalid path: Contains control characters");
    }
    if (!path.startsWith(" ")) {
        return path
    }
}

The maintainer addressed this architectural flaw in commit 20327d35126e57e5fdbaae79a4b65222fbadc53c by shifting the validation logic from the high-level client methods to a centralized choke point. The localized check in protectWhitespace was removed, preventing future omissions when adding new client functions.

// In src/FtpContext.ts
send(command: string) {
    // Reject control character injection attempts.
    if (/[\r\n\0]/.test(command)) {
        throw new Error(`Invalid command: Contains control characters. (${command})`);
    }
    const containsPassword = command.startsWith("PASS")
    const message = containsPassword ? "> PASS ###" : `> ${command}`
    this.log(message)
    // ... network write logic ...
}

The patch in src/FtpContext.ts intercepts all outgoing FTP commands at the send method. By applying the regular expression /[\r\n\0]/ to the raw command string immediately prior to transmission, the library guarantees that no carriage returns, line feeds, or null bytes can reach the socket interface. This centralized sink validation completely mitigates the CRLF injection vulnerability regardless of the entry point.

Exploitation requires the attacker to control variables passed to the vulnerable basic-ftp methods. Common vectors include applications that dynamically connect to FTP servers based on user-supplied credentials, or applications that create directories named after user input.

An attacker crafts a payload by terminating the intended value with a CRLF sequence, followed by an arbitrary FTP command. For example, if an attacker provides mypassword\r\nDELE /critical/file as the password field, the library appends its own termination sequence and writes the data to the socket.

The FTP server receives the network transmission and processes the byte stream sequentially. It interprets PASS mypassword as the first command and attempts authentication. Immediately following, it encounters the DELE /critical/file command and executes it within the context of the authenticated session.

This technique allows the execution of arbitrary FTP protocol actions. The attacker does not gain arbitrary operating system command execution directly via this vector, but rather achieves control over the FTP interaction stream. The success of the injected commands depends on the authorization state at the moment the server evaluates the payload.

The direct impact of this vulnerability is the unauthorized execution of FTP commands. If the injected command executes successfully, an attacker can manipulate files, alter permissions, or retrieve data from the target FTP server. This compromises the integrity and confidentiality of the data stored on the system.

The severity of the impact is contingent on the privileges of the authenticated FTP user. If the injection occurs during the PASS command authentication phase, the subsequent commands execute with the permissions of that user. Actions such as DELE (delete file), RMD (remove directory), or RETR (retrieve file) can be utilized to destroy data or exfiltrate sensitive information.

If the injection occurs pre-authentication (e.g., within the USER command), the impact is limited to commands the server permits for unauthenticated clients. However, many FTP servers allow specific informational commands or anonymous interactions before a successful login, which could still be abused for reconnaissance.

The blast radius is primarily confined to the FTP server and its accessible file system. The application running the basic-ftp library acts as a confused deputy, unwittingly relaying the malicious payloads to the backend infrastructure.

The definitive remediation for this vulnerability is updating the basic-ftp dependency to version 5.2.2 or later. This release introduces the centralized validation logic at the send method, ensuring all network transmissions are free of control characters. Development teams must audit their package.json and lockfiles to enforce this minimum version requirement.

For environments unable to deploy the patched library version immediately, application-level input validation serves as an effective mitigating control. Developers must implement strict sanitization on all user-controlled data passed to basic-ftp methods, specifically stripping or rejecting carriage returns (\r), line feeds (\n), and null bytes (\0) from credentials and file paths.

Defenders should monitor FTP server logs for indicators of exploitation. Network security monitoring tools can be configured to detect anomalous FTP streams containing multiple rapid commands or the presence of literal newline characters within the parameters of commands like USER, PASS, and MKD. Unusual intervals between authentication commands and destructive commands often indicate automated injection attempts.