CVE-2026-27699 — Path Traversal in Basic-ftp

CWE-22 — Path Traversal7 documents6 sources

Severity

9.8CRITICALNVD

EPSS

0.2%

top 61.12%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Patrickjuchli Basic-ftp Debian Node-proxy-agents

Timeline

PublishedFeb 25

Description

The `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the `downloadToDir()` method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (`../`) that cause files to be written outside the intended download directory. Version 5.2.0 patches the issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶debiandebian/node-proxy-agents< node-proxy-agents 0~2025070717+~cs15.2.7-1 (forky)

▶NVDpatrickjuchli/basic-ftp< 5.2.0

▶npmpatrickjuchli/basic-ftp< 5.2.0

Patches

Patch: github.com ↗

🔴Vulnerability Details

GHSA

Basic FTP has Path Traversal Vulnerability in its downloadToDir() method↗2026-02-25

▶

OSV

Basic FTP has Path Traversal Vulnerability in its downloadToDir() method↗2026-02-25

▶

OSV

CVE-2026-27699: The `basic-ftp` FTP client library for Node↗2026-02-25

▶

📋Vendor Advisories

Red Hat

basic-ftp: basic-ftp: File overwrite due to path traversal↗2026-02-25

▶

Debian

CVE-2026-27699: node-proxy-agents - The `basic-ftp` FTP client library for Node.js contains a path traversal vulnera...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-27699 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶