The basic‑ftp library, used by Node.js applications, mistakenly accepts \r\n sequences in file path parameters for high‑level methods such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The library's protectWhitespace helper only removes leading spaces and otherwise leaves the path unchanged. When the library forwards the constructed command to the FTP server, it appends \r\n and sends the string verbatim. An attacker who can supply a controlled path can insert a CRLF and split the intended FTP command into multiple commands, thereby gaining the ability to execute arbitrary FTP operations. This is a classic example of CWE‑93, where an input that controls a protocol delimiter is not validated, leading to command injection at the protocol level.

Patrick Juchli's basic‑ftp library is used by Node.js applications. Versions prior to 5.2.1 are vulnerable. Any application that imports basic‑ftp and uses high‑level path APIs (cd, remove, rename, uploadFrom, downloadTo, list, removeDir) without sanitization is affected. No information is available regarding operating system or deployment dependency.

The vulnerability has a CVSS vector indicating high severity with a base score of 8.6. The EPSS score is 2 %, implying a low but non‑negligible probability of exploitation. The flaw is not listed in the CISA KEV catalog. Attackers who can supply an attacker‑controlled file path and have valid FTP credentials can use CRLF sequences to split a single intended command into multiple commands, effectively gaining the ability to execute arbitrary FTP operations such as uploading, downloading, deleting, or renaming files. This can compromise confidentiality, integrity, and availability of the files on the target FTP server. The attack requires only application‑level control over the path parameter; no additional network access beyond normal FTP usage is required.