CVE-2026-27699 in basic-ftp
Summary
by MITRE • 02/25/2026
The `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the `downloadToDir()` method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (`../`) that cause files to be written outside the intended download directory. Version 5.2.0 patches the issue.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/04/2026
The CVE-2026-27699 vulnerability represents a critical path traversal flaw within the basic-ftp Node.js library that affects versions prior to 5.2.0. This vulnerability specifically impacts the downloadToDir() method, which is commonly used by developers to download files from FTP servers to local directories. The flaw stems from inadequate input validation and sanitization of filenames received from remote FTP servers during directory listing operations. When a malicious FTP server responds with directory entries containing path traversal sequences such as ../ in their filenames, the vulnerable library fails to properly sanitize these inputs before writing files to the local filesystem. This creates a scenario where files can be written outside the intended download directory, potentially leading to arbitrary file system modifications, information disclosure, or even remote code execution depending on the target system's permissions and configuration. The vulnerability maps directly to CWE-22, which categorizes path traversal attacks as a fundamental security weakness in software applications that process file paths without proper validation.
The operational impact of this vulnerability extends beyond simple file system manipulation to encompass broader security implications for applications that rely on the basic-ftp library for FTP operations. Attackers exploiting this vulnerability can potentially overwrite critical system files, inject malicious content into unexpected locations, or access sensitive data that should remain isolated within designated download directories. The attack surface is particularly concerning for applications that process untrusted FTP data, such as file synchronization tools, backup systems, or content management platforms that utilize FTP protocols for data transfer. This vulnerability aligns with ATT&CK technique T1078.002, which covers legitimate credentials used for lateral movement, as attackers could leverage this flaw to establish persistence through file system modifications. The vulnerability is especially dangerous in environments where applications run with elevated privileges or where the download directory is located in a system-critical path, as the potential for privilege escalation and system compromise increases significantly.
Organizations and developers utilizing the basic-ftp library must prioritize immediate remediation through version upgrade to 5.2.0 or later, which includes proper path traversal validation and sanitization mechanisms. The patch implemented in version 5.2.0 addresses the root cause by implementing robust input validation that filters out or neutralizes path traversal sequences in filenames received from FTP servers. Additional mitigation strategies include implementing network-level restrictions such as firewall rules that limit FTP server access to trusted sources, conducting regular security audits of FTP client implementations, and employing principle of least privilege for applications that process FTP data. Development teams should also consider implementing additional layers of validation within their applications, such as verifying that downloaded files are written to predetermined, secure directories with proper access controls, and monitoring for unusual file system modifications that could indicate exploitation attempts. The vulnerability serves as a reminder of the critical importance of validating all inputs from untrusted sources and implementing defense-in-depth strategies for network protocols that handle file system operations.