Apr 11, 2026·6 min read·33 visits
CRLF injection in basic-ftp < 5.2.2 permits arbitrary FTP command execution when handling unvalidated credentials and directory names.
The basic-ftp npm package prior to version 5.2.2 contains a CRLF injection vulnerability due to incomplete input validation. This flaw allows an attacker who controls credentials or directory inputs to execute arbitrary FTP commands on the target server.
The basic-ftp library is a widely used FTP client for Node.js, providing asynchronous functions to interact with FTP servers. Prior to version 5.2.2, the package exhibited incomplete sanitization of user-supplied inputs, resulting in an Improper Neutralization of CRLF Sequences vulnerability (CWE-93). This flaw allows an attacker to inject control characters into the network stream.
The attack surface includes several input vectors, specifically the connection credentials (username and password) and directory path arguments supplied to commands like MKD (Make Directory). The library attempted to mitigate injection attacks using a localized helper function, but failed to apply this validation uniformly across all protocol interactions.
Successful exploitation results in arbitrary FTP command execution. By injecting Carriage Return (\r) and Line Feed (\n) sequences into these vulnerable inputs, an attacker can manipulate the FTP protocol stream. This forces the server to process the injected payload as subsequent, distinct commands, overriding the intended behavior of the client application.
The root cause of this vulnerability stems from a decentralized and incomplete validation strategy for network-bound data. Security controls were implemented at the perimeter of the application logic rather than at the network socket sink. Specifically, basic-ftp relied on a helper method named protectWhitespace(path) to identify and reject control characters.
This perimeter-based defense failed to cover critical command execution paths. The USER and PASS commands, which authenticate the client to the server, bypassed the protectWhitespace check entirely. If the application allowed user-controlled input for these fields, an attacker could embed newline characters to terminate the PASS sequence and inject arbitrary operations.
Furthermore, the validation logic exhibited inconsistencies regarding directory management. In workflows utilizing the ensureDir functionality, the library issued the MKD command to the server before applying validation in the subsequent cd (Change Directory) call. This execution order created a vulnerability window where malicious directory names were transmitted to the server without sanitization.
By failing to validate all outbound data at the point of socket transmission, the library permitted downstream components to transmit protocol control characters. The FTP protocol utilizes CRLF as the standard command delimiter, meaning any injected newlines are inherently interpreted as command boundaries by the receiving server.
Prior to version 5.2.2, the protectWhitespace method in src/Client.ts contained the primary defense against CRLF injection. This method was invoked inconsistently across the codebase, leaving several command invocation routes unprotected.
async protectWhitespace(path: string): Promise<string> {
// Reject CRLF injection attempts
if (/[\r\n\0]/.test(path)) {
throw new Error("Invalid path: Contains control characters");
}
if (!path.startsWith(" ")) {
return path
}
}The maintainer addressed this architectural flaw in commit 20327d35126e57e5fdbaae79a4b65222fbadc53c by shifting the validation logic from the high-level client methods to a centralized choke point. The localized check in protectWhitespace was removed, preventing future omissions when adding new client functions.
// In src/FtpContext.ts
send(command: string) {
// Reject control character injection attempts.
if (/[\r\n\0]/.test(command)) {
throw new Error(`Invalid command: Contains control characters. (${command})`);
}
const containsPassword = command.startsWith("PASS")
const message = containsPassword ? "> PASS ###" : `> ${command}`
this.log(message)
// ... network write logic ...
}The patch in src/FtpContext.ts intercepts all outgoing FTP commands at the send method. By applying the regular expression /[\r\n\0]/ to the raw command string immediately prior to transmission, the library guarantees that no carriage returns, line feeds, or null bytes can reach the socket interface. This centralized sink validation completely mitigates the CRLF injection vulnerability regardless of the entry point.
Exploitation requires the attacker to control variables passed to the vulnerable basic-ftp methods. Common vectors include applications that dynamically connect to FTP servers based on user-supplied credentials, or applications that create directories named after user input.
An attacker crafts a payload by terminating the intended value with a CRLF sequence, followed by an arbitrary FTP command. For example, if an attacker provides mypassword\r\nDELE /critical/file as the password field, the library appends its own termination sequence and writes the data to the socket.
The FTP server receives the network transmission and processes the byte stream sequentially. It interprets PASS mypassword as the first command and attempts authentication. Immediately following, it encounters the DELE /critical/file command and executes it within the context of the authenticated session.
This technique allows the execution of arbitrary FTP protocol actions. The attacker does not gain arbitrary operating system command execution directly via this vector, but rather achieves control over the FTP interaction stream. The success of the injected commands depends on the authorization state at the moment the server evaluates the payload.
The direct impact of this vulnerability is the unauthorized execution of FTP commands. If the injected command executes successfully, an attacker can manipulate files, alter permissions, or retrieve data from the target FTP server. This compromises the integrity and confidentiality of the data stored on the system.
The severity of the impact is contingent on the privileges of the authenticated FTP user. If the injection occurs during the PASS command authentication phase, the subsequent commands execute with the permissions of that user. Actions such as DELE (delete file), RMD (remove directory), or RETR (retrieve file) can be utilized to destroy data or exfiltrate sensitive information.
If the injection occurs pre-authentication (e.g., within the USER command), the impact is limited to commands the server permits for unauthenticated clients. However, many FTP servers allow specific informational commands or anonymous interactions before a successful login, which could still be abused for reconnaissance.
The blast radius is primarily confined to the FTP server and its accessible file system. The application running the basic-ftp library acts as a confused deputy, unwittingly relaying the malicious payloads to the backend infrastructure.
The definitive remediation for this vulnerability is updating the basic-ftp dependency to version 5.2.2 or later. This release introduces the centralized validation logic at the send method, ensuring all network transmissions are free of control characters. Development teams must audit their package.json and lockfiles to enforce this minimum version requirement.
For environments unable to deploy the patched library version immediately, application-level input validation serves as an effective mitigating control. Developers must implement strict sanitization on all user-controlled data passed to basic-ftp methods, specifically stripping or rejecting carriage returns (\r), line feeds (\n), and null bytes (\0) from credentials and file paths.
Defenders should monitor FTP server logs for indicators of exploitation. Network security monitoring tools can be configured to detect anomalous FTP streams containing multiple rapid commands or the presence of literal newline characters within the parameters of commands like USER, PASS, and MKD. Unusual intervals between authentication commands and destructive commands often indicate automated injection attempts.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H| Product | Affected Versions | Fixed Version |
|---|---|---|
basic-ftp npm | < 5.2.2 | 5.2.2 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-93 |
| Attack Vector | Network |
| CVSS Score | 8.1 |
| Impact | Arbitrary FTP Command Execution |
| Exploit Status | PoC |
| KEV Status | Not Listed |
Improper Neutralization of CRLF Sequences ('CRLF Injection')
CVE-2026-48861 is a client-side HTTP request-line CRLF (Carriage Return Line Feed) injection vulnerability in the popular Elixir HTTP client library, Mint. The vulnerability permits HTTP Request Splitting and HTTP Request Smuggling when an application forwards untrusted, attacker-controlled inputs to Mint's HTTP client requests as either the HTTP request method or target. By embedding CRLF characters within these parameters, an attacker can terminate the request line prematurely, inject malicious headers, or pipeline entirely independent requests. These smuggled requests are then processed by upstream or downstream proxy servers as separate HTTP queries on the same TCP connection. While Mint version 1.7.0 introduced target validation to secure the request target, the HTTP request method parameter remained completely unvalidated. This flaw allows attackers to bypass routing filters, access restricted internal APIs, or poison HTTP caches under default configurations.
An Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling) vulnerability in the Elixir Mint HTTP client allows attacker-controlled HTTP/1 servers to desynchronize response framing on shared connections due to over-lenient parsing of sign-prefixed Content-Length headers.
An allocation of resources without limits or throttling vulnerability in Elixir Mint allows an attacker-controlled HTTP/2 server to exhaust memory in a Mint client. The vulnerability is exploited by sending a HEADERS frame without the END_HEADERS flag followed by an infinite stream of CONTINUATION frames. Because the client lacks limits on the incoming header-block accumulator, the client continuously consumes memory until an out-of-memory crash occurs.
CVE-2026-48596 is an Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Request/Response Splitting, CWE-113) in the Elixir Tesla HTTP client. The flaw resides in how multipart content-type parameters are joined and serialized, enabling attackers to inject arbitrary headers or split HTTP requests when applications pass untrusted inputs to the parameters of multipart uploads.
An improper handling of highly compressed data (decompression bomb) vulnerability exists in the Elixir Tesla HTTP client when utilizing response decompression middlewares. By serving highly compressed responses or stacked content-encoding headers, a malicious server can cause arbitrary heap exhaustion, leading to a denial of service (DoS) crash in the BEAM virtual machine.
A high-severity security vulnerability in Elixir's Tesla HTTP client library (CVE-2026-48595) allows unauthenticated remote attackers to harvest sensitive credentials, including Authorization headers and cookies. The flaw resides in the 'Tesla.Middleware.FollowRedirects' component, which performs case-sensitive lookups when stripping credentials during cross-origin redirects. Because HTTP headers are case-insensitive by RFC specifications, standard canonical casing (e.g., 'Authorization') bypasses the lowercase-only blocklist, leaking tokens to untrusted external redirect destinations.