GHSA-6v7q-wjvx-w8wg: basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Execution via Credentials and MKD Commands

April 10, 2026

basic-ftp’s CRLF injection protection (added in commit 2ecc8e2 for GHSA-chqc-8p9q-pq6q) is incomplete. Two code paths bypass the protectWhitespace() control character check: (1) the login() method directly concatenates user-supplied credentials into USER/PASS FTP commands without any validation, and (2) the _openDir() method sends an MKD command before cd() invokes protectWhitespace(), creating a TOCTOU bypass. Both vectors allow an attacker who controls input to inject arbitrary FTP commands into the control connection.

References

github.com/advisories/GHSA-6v7q-wjvx-w8wg
github.com/patrickjuchli/basic-ftp
github.com/patrickjuchli/basic-ftp/commit/20327d35126e57e5fdbaae79a4b65222fbadc53c
github.com/patrickjuchli/basic-ftp/releases/tag/v5.2.2
github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-6v7q-wjvx-w8wg

Code Behaviors & Features

Detect and mitigate GHSA-6v7q-wjvx-w8wg with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →