Vulnerability Description
The `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the `downloadToDir()` method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (`../`) that cause files to be written outside the intended download directory. Version 5.2.0 patches the issue.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Patrickjuchli | Basic-Ftp | < 5.2.0 |
Related Weaknesses (CWE)
References
- https://github.com/patrickjuchli/basic-ftp/commit/2a2a0e6514357b9eda07c2f8afbd3fPatch
- https://github.com/patrickjuchli/basic-ftp/releases/tag/v5.2.0Release Notes
- https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-5rq4-664w-9xExploitVendor AdvisoryMitigation
FAQ
What is CVE-2026-27699?
CVE-2026-27699 is a vulnerability with a CVSS score of 9.1 (CRITICAL). The `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the `downloadToDir()` method. A malicious FTP server can send directory li...
How severe is CVE-2026-27699?
CVE-2026-27699 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-27699?
Check the references section above for vendor advisories and patch information. Affected products include: Patrickjuchli Basic-Ftp.