basic-ftp, CRLF Injection, GHSA-chqc-8p9q-pq6q (Critical)

Listen to this Post

The vulnerability works through two incomplete CRLF injection patches. First, the `login()` method concatenates user-supplied `user` and `password` directly into `USER` and `PASS` FTP commands without any CRLF validation. The `FtpContext.send()` writes the command string plus `\r\n` to the TCP socket, so an attacker can inject `\r\nDELE file.txt` inside a username. The `protectWhitespace()` function rejects \r, \n, and `\0` but is never called for credentials. Second, the `_openDir()` method sends an `MKD` command using unsanitized `dirName` before calling cd(), which later invokes protectWhitespace(). This TOCTOU bypass allows an attacker to inject FTP commands via path fragments (e.g., test\r\nDELE file.txt/subdir) because the malicious `MKD` is already transmitted. Both vectors enable arbitrary FTP command injection on the control connection.
Platform: basic-ftp npm package
Version: All vulnerable versions
Vulnerability: CRLF injection bypass
Severity: Critical
date: April 12 2024

Prediction: Patch expected 2024-05-01

What Undercode Say:

Analytics:

Test CRLF injection in credentials using netcat
echo -e "USER anonymous\r\nDELE secret.txt\r\nPASS guest\r\n" | nc target-ftp 21
Node.js PoC to detect vulnerable basic-ftp
npm list basic-ftp
grep -r "protectWhitespace" node_modules/basic-ftp/dist/Client.js
// Automated check for missing validation in login()
const client = new require('basic-ftp').Client();
client.ftp.socket.write = (data) => {
if (data.includes('\r\n')) console.log('CRLF injection possible');
};

How Exploit:

  • Vector 1: Provide username `”anonymous\r\nDELE important.txt”` and any password. The server receives USER anonymous\r\nDELE important.txt\r\nPASS guest, executing DELE before PASS.
  • Vector 2: Call client.ensureDir("dir\r\nDELE victim.txt/sub"). `_openDir` sends `MKD dir\r\nDELE victim.txt` immediately. `cd()` later throws on CRLF, but the injected `DELE` already runs.
  • Use FTP command chaining: RNFR, RNTO, MKD, RMD, SITE CHMOD, or USER/PASS for re-authentication.

Protection from this CVE

  • Upgrade to patched version (once available) or apply fixes: validate credentials in `login()` and `dirName` in `_openDir()` using regex /[\r\n\0]/.
  • Alternatively, override `FtpContext.send()` to reject any command containing CRLF or null bytes.
  • Avoid passing untrusted user input as FTP credentials or remote path segments.
  • Use FTP over TLS (FTPS) and restrict server permissions, but injection still works on control channel.

Impact:

  • Unauthenticated command injection before login: delete, rename, create, or change permissions on files/directories. Attacker can hijack session by injecting USER/PASS to re-authenticate as a different user. Applications that accept user-supplied FTP credentials (web file managers, backup tools) are directly exploitable.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top