Plattform
nodejs
Komponente
basic-ftp
Behoben in
5.2.1
5.2.0
CVE-2026-27699 is a critical path traversal vulnerability discovered in the basic-ftp Node.js library. This flaw allows a malicious FTP server to manipulate directory listings, enabling attackers to write files to arbitrary locations on the system. The vulnerability affects versions prior to 5.2.0 and can lead to unauthorized file access and potential system compromise. A fix is available in version 5.2.0.
The basic-ftp library's downloadToDir() method is vulnerable to path traversal due to improper handling of directory listings received from an FTP server. An attacker controlling the FTP server can craft a malicious LIST response containing filenames with path traversal sequences (e.g., ../). When basic-ftp parses this response, it incorrectly extracts the filename, allowing the attacker to specify a download path outside the intended directory. This could allow an attacker to overwrite critical system files, execute arbitrary code, or gain unauthorized access to sensitive data. The potential impact is significant, as successful exploitation could lead to complete system compromise.
CVE-2026-27699 was publicly disclosed on 2026-02-25. While no active exploitation campaigns have been publicly reported, the vulnerability's CRITICAL severity and ease of exploitation suggest a potential for future attacks. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept code is likely to emerge, increasing the risk of exploitation.
Applications and services built on Node.js that utilize the basic-ftp library to download files from external FTP servers are at risk. This includes automated file transfer systems, backup solutions, and any application that relies on basic-ftp for FTP functionality. Specifically, systems that handle user-provided FTP server addresses or filenames are particularly vulnerable.
• nodejs / server:
npm list basic-ftp• nodejs / server:
npm audit basic-ftp• nodejs / server:
Inspect application code for instances where basic-ftp is used to download files from external FTP servers, paying close attention to how filenames are handled and validated.
disclosure
Exploit-Status
EPSS
0.09% (25% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-27699 is to upgrade the basic-ftp library to version 5.2.0 or later. This version includes a fix that properly validates filenames received from the FTP server, preventing path traversal attacks. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) or proxy to filter malicious FTP responses. Specifically, look for patterns containing ../ sequences in filenames. Additionally, carefully review and sanitize any user-provided input used in file paths within your application. After upgrading, confirm the fix by attempting a download with a crafted FTP LIST response containing path traversal sequences to ensure files are not written outside the intended directory.
Aktualisieren Sie die basic-ftp Bibliothek auf Version 5.2.0 oder höher. Dies behebt die Path Traversal Vulnerability in der downloadToDir() Methode. Das Update kann mit dem Paketmanager npm durchgeführt werden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-27699 is a critical path traversal vulnerability in the basic-ftp Node.js library, allowing attackers to write files outside the intended download directory.
You are affected if you are using basic-ftp versions prior to 5.2.0 and downloading files from untrusted FTP servers.
Upgrade to basic-ftp version 5.2.0 or later. As a temporary workaround, sanitize filenames received from the FTP server.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests a potential for exploitation.
Refer to the basic-ftp project's repository and release notes for the official advisory and details on the fix.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.