Platform
nodejs
Component
basic-ftp
Fixed in
5.2.1
5.2.0
CVE-2026-27699 is a critical path traversal vulnerability discovered in the basic-ftp Node.js library. This flaw allows a malicious FTP server to manipulate directory listings, enabling attackers to write files to arbitrary locations on the system. The vulnerability affects versions prior to 5.2.0 and can lead to unauthorized file access and potential system compromise. A fix is available in version 5.2.0.
The path traversal vulnerability in basic-ftp arises from insufficient validation of filenames received from an FTP server during the download process. Specifically, the downloadToDir() method fails to adequately sanitize filenames containing path traversal sequences like ../. An attacker controlling a malicious FTP server can craft directory listings with filenames designed to bypass this validation. This allows them to specify a download path that writes files outside the intended download directory, potentially overwriting critical system files or injecting malicious code. The blast radius extends to any system utilizing basic-ftp to download files from untrusted FTP servers, making it a widespread concern.
CVE-2026-27699 was publicly disclosed on 2026-02-25. The vulnerability's ease of exploitation and potential impact suggest a medium probability of exploitation. No public proof-of-concept (PoC) code has been released as of this writing, but the vulnerability's nature makes it likely that PoCs will emerge. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.09% (25% percentile)
CISA SSVC
The primary mitigation for CVE-2026-27699 is to immediately upgrade the basic-ftp library to version 5.2.0 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by sanitizing filenames received from the FTP server before passing them to the downloadToDir() method. This can be achieved by stripping out any occurrences of ../ or other path traversal sequences. Additionally, consider implementing a Web Application Firewall (WAF) or proxy to filter FTP traffic and block requests containing suspicious filenames. After upgrading, confirm the fix by attempting a download from a controlled FTP server with a filename containing ../ to ensure the file is not written outside the intended directory.
Update the basic-ftp library to version 5.2.0 or higher. This fixes the path traversal vulnerability in the downloadToDir() method. The update can be performed using the npm package manager.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-27699 is a critical path traversal vulnerability in the basic-ftp Node.js library, allowing attackers to write files outside the intended download directory.
You are affected if you are using basic-ftp versions prior to 5.2.0 and downloading files from untrusted FTP servers.
Upgrade to basic-ftp version 5.2.0 or later. As a temporary workaround, sanitize filenames received from the FTP server.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests a potential for exploitation.
Refer to the basic-ftp project's repository and release notes for the official advisory and details on the fix.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.