Listen to this Post
The vulnerability works through two incomplete CRLF injection patches. First, the `login()` method concatenates user-supplied `user` and `password` directly into `USER` and `PASS` FTP commands without any CRLF validation. The `FtpContext.send()` writes the command string plus `\r\n` to the TCP socket, so an attacker can inject `\r\nDELE file.txt` inside a username. The `protectWhitespace()` function rejects \r, \n, and `\0` but is never called for credentials. Second, the `_openDir()` method sends an `MKD` command using unsanitized `dirName` before calling cd(), which later invokes protectWhitespace(). This TOCTOU bypass allows an attacker to inject FTP commands via path fragments (e.g., test\r\nDELE file.txt/subdir) because the malicious `MKD` is already transmitted. Both vectors enable arbitrary FTP command injection on the control connection.
Platform: basic-ftp npm package
Version: All vulnerable versions
Vulnerability: CRLF injection bypass
Severity: Critical
date: April 12 2024
Prediction: Patch expected 2024-05-01
What Undercode Say:
Analytics:
Test CRLF injection in credentials using netcat echo -e "USER anonymous\r\nDELE secret.txt\r\nPASS guest\r\n" | nc target-ftp 21 Node.js PoC to detect vulnerable basic-ftp npm list basic-ftp grep -r "protectWhitespace" node_modules/basic-ftp/dist/Client.js
// Automated check for missing validation in login()
const client = new require('basic-ftp').Client();
client.ftp.socket.write = (data) => {
if (data.includes('\r\n')) console.log('CRLF injection possible');
};
How Exploit:
- Vector 1: Provide username `”anonymous\r\nDELE important.txt”` and any password. The server receives
USER anonymous\r\nDELE important.txt\r\nPASS guest, executing DELE before PASS. - Vector 2: Call
client.ensureDir("dir\r\nDELE victim.txt/sub"). `_openDir` sends `MKD dir\r\nDELE victim.txt` immediately. `cd()` later throws on CRLF, but the injected `DELE` already runs. - Use FTP command chaining:
RNFR,RNTO,MKD,RMD,SITE CHMOD, orUSER/PASSfor re-authentication.
Protection from this CVE
- Upgrade to patched version (once available) or apply fixes: validate credentials in `login()` and `dirName` in `_openDir()` using regex
/[\r\n\0]/. - Alternatively, override `FtpContext.send()` to reject any command containing CRLF or null bytes.
- Avoid passing untrusted user input as FTP credentials or remote path segments.
- Use FTP over TLS (FTPS) and restrict server permissions, but injection still works on control channel.
Impact:
- Unauthenticated command injection before login: delete, rename, create, or change permissions on files/directories. Attacker can hijack session by injecting
USER/PASSto re-authenticate as a different user. Applications that accept user-supplied FTP credentials (web file managers, backup tools) are directly exploitable.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

