GHSA-CHQC-8P9Q-PQ6Q: FTP Command Injection via CRLF Sequences in basic-ftp

The basic-ftp library operates as a client-side FTP implementation for Node.js environments. In version 5.2.0, the package contains a high-severity command injection vulnerability stemming from unescaped carriage return and line feed (CRLF) sequences. An attacker who controls file path parameters passed to the library can inject arbitrary administrative commands into the underlying FTP control connection.

Applications that accept user-controlled strings for filenames or paths and subsequently pass them to the library's API expose this attack surface. The vulnerability maps specifically to CWE-93 (Improper Neutralization of CRLF Sequences) and CWE-74 (Injection). Because FTP is structurally a line-based protocol, it intrinsically relies on newline sequences to delineate discrete command frames.

By injecting carriage return (\r) and line feed (\n) characters into a path string, an attacker actively terminates the developer's intended command. The remaining characters injected after the sequence are parsed by the remote FTP server as entirely new, independent directives. This mechanism completely bypasses the intended operational scope of the application utilizing the library.

The vulnerability exists due to a specific design oversight within the path processing pipeline of the basic-ftp library. The protectWhitespace() function, located in src/Client.ts, prepares file paths before transmission. Its primary programmed purpose addresses server incompatibility issues with leading spaces, entirely omitting control character validation logic.

When high-level API methods invoke protectWhitespace(), the resulting sanitized string passes unmodified directly to the low-level FtpContext.send() method. The send() method operates as a simple transport wrapper that structurally trusts its input. It systematically appends a hardcoded \r\n terminator to the provided string and writes the final payload payload to the control socket.

This interaction directly establishes the CRLF injection condition. The library implicitly trusts the structural integrity of the path variable. By embedding \r\n within this variable, the resulting socket transmission forces multiple discrete FTP protocol frames into a single network packet, subverting protocol boundaries.

This flaw affects numerous high-level methods exposed by the Client class. Any operational method routing user-supplied paths through protectWhitespace() before invoking send() inherits the vulnerability. This comprehensively includes directory operations like cd(), remove(), and list(), alongside standard file operations such as downloadTo(), uploadFrom(), and rename().

Examining the source code of version 5.2.0 exposes the missing validation logic in the src/Client.ts component. The protectWhitespace method explicitly checks for leading spaces but returns the path string unmodified if none are present. No further syntactic inspection of the string contents occurs before returning the value to the caller.

// Vulnerable code in basic-ftp 5.2.0 (src/Client.ts)
async protectWhitespace(path: string): Promise<string> {
    if (!path.startsWith(" ")) {
        return path; // No sanitization of \r\n characters
    }
    // ... (logic for leading spaces)
}

The patch introduced in commit 2ecc8e2c500c5234115f06fd1dbde1aa03d70f4b mitigates the issue by applying explicit control character filtering. The maintainers added a robust regular expression validation step that actively tests the parameter before proceeding with path formatting.

// Patched code in basic-ftp 5.2.1 (src/Client.ts)
async protectWhitespace(path: string): Promise<string> {
    // Reject CRLF injection attempts
    if (/[\r\n\0]/.test(path)) {
        throw new Error("Invalid path: Contains control characters");
    }
    // ...
}

This fix successfully neutralizes the identified attack vector in a comprehensive manner. By explicitly throwing an exception upon detecting carriage returns, line feeds, or null bytes, the library aggressively prevents the generation of malformed protocol frames. The validation occurs early in the execution chain, universally protecting all downstream socket write operations.

Exploiting this vulnerability requires the attacker to supply a string containing the \r\n byte sequence directly to a vulnerable application endpoint. The attacker does not require direct network access to the target FTP server. Instead, the vulnerable Node.js application acts as a confused deputy, blindly forwarding the malicious payload through its established, authenticated FTP control channel.

A standard exploitation payload embeds the terminating sequence followed immediately by the secondary protocol command. For example, utilizing the payload harmless.txt\r\nDELE /critical/system-data.txt precisely triggers the injection condition. When processed by a deletion or directory listing routine, the FTP server processes the first line normally, then interprets the second line as a highly-privileged independent directive.

// Proof of Concept Exploit
const ftp = require('basic-ftp');
 
async function exploit() {
  const client = new ftp.Client();
  try {
    await client.access({ host: '127.0.0.1', port: 2121 });
    const maliciousPath = "subdir\r\nDELE secret-file.txt";
    await client.cd(maliciousPath);
  } catch(e) {
    console.log('Error:', e.message);
  } finally {
    client.close();
  }
}
exploit();

The provided Proof of Concept effectively demonstrates the injection mechanism against a mocked backend socket. By monitoring the raw network buffer received by the test server, the analysis confirms the exact structural transmission. The client transmits CWD subdir\r\nDELE secret-file.txt\r\n, forcing the server to execute the deletion command sequentially.

The successful exploitation of this vulnerability directly results in unauthorized arbitrary FTP command execution on the target server. The attacker inherently assumes the operational privileges of the authenticated FTP user session initially established by the vulnerable Node.js application. Consequently, the practical impact scales directly with the permission level assigned to that specific service account.

Integrity and availability impacts manifest as the most direct and destructive consequences of this vulnerability. An attacker can inject file manipulation commands such as DELE to irreversibly destroy remote assets, or utilize RNFR and RNTO to manipulate file structures. If the application session possesses wide-ranging write privileges, catastrophic data loss on the connected FTP server becomes highly probable.

Confidentiality compromises are technically feasible, although they require specific architectural conditions to successfully exfiltrate data. An attacker might inject LIST or PWD commands to enumerate directories and discover file layouts. However, successfully reading the structural output of these injected commands requires the vulnerable application to inadvertently capture and return the asynchronous socket responses to the attacker.

The CVSS v3.1 base score of 8.6 accurately reflects the severe operational risk. The attack vector remains strictly network-based and necessitates no elevated privileges or user interaction from the attacker. The integrity metric calculates as high due exclusively to the proven potential for arbitrary remote file deletion and unrestricted data modification.

The primary and definitive remediation strategy requires upgrading the basic-ftp dependency within the affected environment. Development teams must update their package.json manifests to explicitly specify version 5.2.1 or later. This release definitively contains the comprehensive control character validation patch that fundamentally neutralizes the attack vector.

In operational scenarios where an immediate dependency update is structurally blocked, development teams must deploy strict input validation mechanisms. Applications should actively sanitize all user-supplied variables destined for FTP interactions at the API boundary. Systematically rejecting any input containing \r, \n, or \0 characters provides an effective functional workaround.

Furthermore, infrastructure teams should strictly enforce the principle of least privilege on all backend service accounts interacting with external libraries. The FTP credentials utilized by the vulnerable application must possess only the absolute minimum permissions required for standard operation. If an application solely retrieves files, the FTP user account must be configured as strictly read-only, ensuring injected administrative commands organically fail at the server level.