CRLF Injection Affecting aioftp package, versions [,0.26.3)

Q: How to fix?

Upgrade aioftp to version 0.26.3 or higher.

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about CRLF Injection vulnerabilities in an interactive lesson.

Start learning

Snyk IDSNYK-PYTHON-AIOFTP-13304441
published6 Oct 2025
disclosed2 Oct 2025
creditCycloctane

Report a new vulnerability Found a mistake?

Introduced: 2 Oct 2025

NewCWE-93 (opens in a new tab)

How to fix?

Upgrade aioftp to version 0.26.3 or higher.

Overview

aioftp is a ftp client/server for asyncio

Affected versions of this package are vulnerable to CRLF Injection via the aioftp.Client.command method that lacks checks for CR/LF characters in command strings. An attacker can add the \r\n characters and inject additional headers in the FTP request sent.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
None
Integrity (VI)
None
Availability (VA)
None

Confidentiality (SC)
Low
Integrity (SI)
Low
Availability (SA)
None