Patches FTP command injection in basic-ftp path handling

TL;DR — basic-ftp 5.2.0 lets attacker-controlled paths inject extra FTP commands via embedded \r\n, which can turn a single file operation into multiple server-side actions (delete/exfiltrate/etc.).

What happened

basic-ftp is a Node.js FTP client library used to automate FTP operations (upload/download/list/rename/delete) over the FTP control channel. GitHub advisory GHSA-chqc-8p9q-pq6q (CVE-2026-39983) describes a CRLF command-injection issue where untrusted path strings can contain \r\n and split an intended FTP command into multiple commands.

Per the advisory, the bug is caused by (1) protectWhitespace() returning most paths unchanged (no rejection of \r/\n) and (2) FtpContext.send() writing the command string directly to the control socket with \r\n appended. As a result, any high-level API that interpolates a remote path into a command (e.g., cd(), remove(), rename(), list(), uploadFrom(), downloadTo(), removeDir()) can become an injection primitive when the path originates from attacker-controlled input.

Operational note: the advisory body includes an “Affected product” table stating “no fix available as of 2026-04-04”, but the same advisory page lists 5.2.1 as the patched version; treat 5.2.1 as the current vendor-published remediation state.

Protocol injection in text-based control channels (FTP/SMTP/IMAP/Redis RESP variants, etc.) is a recurring failure mode when libraries concatenate untrusted strings into wire commands. This is especially relevant for platform teams that expose “file path” parameters through APIs, jobs, or user-configurable workflows.

Who is impacted

• Projects using basic-ftp 5.2.0.
• Any application that passes untrusted input into FTP path parameters (including indirectly via job definitions, webhook payloads, UI fields, or API parameters) for methods like cd(), remove(), rename(), list(), uploadFrom(), downloadTo(), or removeDir().
• Higher-risk environments where the FTP server or environment makes injected commands materially dangerous (e.g., deletion of critical files, unintended data retrieval, or servers supporting powerful commands like SITE EXEC, as noted in the advisory’s “Technical impact” section).

What to do now

• Follow vendor remediation guidance and apply the patched release.

  "## Patched versions" … 5.2.1

• If you cannot patch immediately, apply the advisory’s immediate workaround by rejecting control characters in all FTP paths before calling basic-ftp APIs.

  "Immediate workaround: Sanitize all path inputs before passing them to basic-ftp"

• Audit call sites where remote paths are constructed: ensure path inputs are not attacker-controlled (or are strictly validated) before being used in cd(), remove(), rename(), list(), uploadFrom(), downloadTo(), and removeDir().
• If you suspect exposure, review application logs and FTP server logs for unexpected command sequences (e.g., multiple commands issued where one operation was expected), and assess downstream impact (deleted files, unauthorized retrievals, or unexpected authentication changes).