プラットフォーム
nodejs
コンポーネント
basic-ftp
修正版
5.2.1
5.2.0
CVE-2026-27699 is a critical path traversal vulnerability discovered in the basic-ftp Node.js library. This flaw allows a malicious FTP server to manipulate directory listings, enabling attackers to write files to arbitrary locations on the system. The vulnerability affects versions prior to 5.2.0 and can lead to unauthorized file access and potential system compromise. A fix is available in version 5.2.0.
The path traversal vulnerability in basic-ftp arises from insufficient validation of filenames received from an FTP server during the download process. Specifically, the downloadToDir() method fails to adequately sanitize filenames containing path traversal sequences like ../. An attacker controlling a malicious FTP server can craft directory listings with filenames designed to bypass this validation. This allows them to specify a download path that writes files outside the intended download directory, potentially overwriting critical system files or injecting malicious code. The blast radius extends to any system utilizing basic-ftp to download files from untrusted FTP servers, making it a widespread concern.
CVE-2026-27699 was publicly disclosed on 2026-02-25. The vulnerability's ease of exploitation and potential impact suggest a medium probability of exploitation. No public proof-of-concept (PoC) code has been released as of this writing, but the vulnerability's nature makes it likely that PoCs will emerge. It is not currently listed on the CISA KEV catalog.
Applications and services built on Node.js that utilize the basic-ftp library to download files from external FTP servers are at risk. This includes automated file transfer systems, backup solutions, and any application that relies on basic-ftp for FTP functionality. Specifically, systems that handle user-provided FTP server addresses or filenames are particularly vulnerable.
• nodejs / server:
npm list basic-ftp• nodejs / server:
npm audit basic-ftp• nodejs / server:
Inspect application code for instances where basic-ftp is used to download files from external FTP servers, paying close attention to how filenames are handled and validated.
disclosure
エクスプロイト状況
EPSS
0.09% (25% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-27699 is to immediately upgrade the basic-ftp library to version 5.2.0 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by sanitizing filenames received from the FTP server before passing them to the downloadToDir() method. This can be achieved by stripping out any occurrences of ../ or other path traversal sequences. Additionally, consider implementing a Web Application Firewall (WAF) or proxy to filter FTP traffic and block requests containing suspicious filenames. After upgrading, confirm the fix by attempting a download from a controlled FTP server with a filename containing ../ to ensure the file is not written outside the intended directory.
basic-ftp ライブラリをバージョン 5.2.0 以降にアップデートしてください。これにより、downloadToDir() メソッドの Path Traversal 脆弱性が修正されます。アップデートは npm パッケージマネージャーを使用して実行できます。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-27699 is a critical path traversal vulnerability in the basic-ftp Node.js library, allowing attackers to write files outside the intended download directory.
You are affected if you are using basic-ftp versions prior to 5.2.0 and downloading files from untrusted FTP servers.
Upgrade to basic-ftp version 5.2.0 or later. As a temporary workaround, sanitize filenames received from the FTP server.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests a potential for exploitation.
Refer to the basic-ftp project's repository and release notes for the official advisory and details on the fix.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。