GHSA-chqc-8p9q-pq6q: basic-ftp has FTP Command Injection via CRLF

April 8, 2026

basic-ftp version 5.2.0 allows FTP command injection via CRLF sequences (\r\n) in file path parameters passed to high-level path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The library’s protectWhitespace() helper only handles leading spaces and returns other paths unchanged, while FtpContext.send() writes the resulting command string directly to the control socket with \r\n appended. This lets attacker-controlled path strings split one intended FTP command into multiple commands.

References

github.com/advisories/GHSA-chqc-8p9q-pq6q
github.com/patrickjuchli/basic-ftp
github.com/patrickjuchli/basic-ftp/commit/2ecc8e2c500c5234115f06fd1dbde1aa03d70f4b
github.com/patrickjuchli/basic-ftp/releases/tag/v5.2.1
github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-chqc-8p9q-pq6q

Code Behaviors & Features

Detect and mitigate GHSA-chqc-8p9q-pq6q with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →