CVE-2026-27699
published 2026-02-25CVE-2026-27699: The `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the `downloadToDir()` method. A…
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.53%
40.6th percentile
The `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the `downloadToDir()` method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (`../`) that cause files to be written outside the intended download directory. Version 5.2.0 patches the issue.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | node-proxy-agents | < node-proxy-agents 0~2025070717+~cs15.2.7-1 (forky) | node-proxy-agents 0~2025070717+~cs15.2.7-1 (forky) |
| patrickjuchli | basic-ftp | < 5.2.0 | 5.2.0 |
| patrickjuchli | basic-ftp | >= 0 < 5.2.0 | 5.2.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect path traversal sequences in FTP directory listing filenames sent by a server to a basic-ftp client ↗
- →Monitor for unexpected file writes outside the intended download directory when the `downloadToDir()` method is invoked in basic-ftp versions prior to 5.2.0 ↗
- ·Exploitation impact is scoped to the permissions of the process running basic-ftp; arbitrary file overwrites are limited to what the active user can access ↗
- ·The vulnerability only affects basic-ftp versions prior to 5.2.0; upgrading to 5.2.0 fully remediates the issue ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.1CRITICAL
vendor_redhat9.1CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
basic-ftp: basic-ftp: File overwrite due to path traversal
vendor_redhat·2026-02-25·CVSS 9.1
CVE-2026-27699 [CRITICAL] CWE-22 basic-ftp: basic-ftp: File overwrite due to path traversal
basic-ftp: basic-ftp: File overwrite due to path traversal
The `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the `downloadToDir()` method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (`../`) that cause files to be written outside the intended download directory. Version 5.2.0 patches the issue.
A flaw was found in basic-ftp, an FTP client library. A malicious FTP server can exploit a path traversal vulnerability (CWE-22) within the `downloadToDir()` method. This allows the server to send directory listings containing special sequences that trick the client into writing files to unintended locations on the system. Such an attack could lead to unauthorized f
Debian
CVE-2026-27699: node-proxy-agents - The `basic-ftp` FTP client library for Node.js contains a path traversal vulnera...
vendor_debian·2026·CVSS 9.1
CVE-2026-27699 [CRITICAL] CVE-2026-27699: node-proxy-agents - The `basic-ftp` FTP client library for Node.js contains a path traversal vulnera...
The `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the `downloadToDir()` method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (`../`) that cause files to be written outside the intended download directory. Version 5.2.0 patches the issue.
Scope: local
forky: resolved (fixed in 0~2025070717+~cs15.2.7-1)
sid: resolved (fixed in 0~2025070717+~cs15.2.7-1)
trixie: resolved (fixed in 0~2024040606-6+deb13u1)
GHSA
Basic FTP has Path Traversal Vulnerability in its downloadToDir() method
ghsa·2026-02-25
CVE-2026-27699 [CRITICAL] CWE-22 Basic FTP has Path Traversal Vulnerability in its downloadToDir() method
Basic FTP has Path Traversal Vulnerability in its downloadToDir() method
The `basic-ftp` library contains a path traversal vulnerability in the `downloadToDir()` method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (`../`) that cause files to be written outside the intended download directory.
## Source-to-Sink Flow
```
1. SOURCE: FTP server sends LIST response
└─> "-rw-r--r-- 1 user group 1024 Jan 20 12:00 ../../../etc/passwd"
2. PARSER: parseListUnix.ts:100 extracts filename
└─> file.name = "../../../etc/passwd"
3. VALIDATION: parseListUnix.ts:101 checks
└─> if (name === "." || name === "..") ❌ (only filters exact matches)
└─> "../../../etc/passwd" !== "." && !== ".." ✅ PASSES
4. SINK: Client.ts:707 uses filename directly
└─
OSV
Basic FTP has Path Traversal Vulnerability in its downloadToDir() method
osv·2026-02-25
CVE-2026-27699 [CRITICAL] Basic FTP has Path Traversal Vulnerability in its downloadToDir() method
Basic FTP has Path Traversal Vulnerability in its downloadToDir() method
The `basic-ftp` library contains a path traversal vulnerability in the `downloadToDir()` method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (`../`) that cause files to be written outside the intended download directory.
## Source-to-Sink Flow
```
1. SOURCE: FTP server sends LIST response
└─> "-rw-r--r-- 1 user group 1024 Jan 20 12:00 ../../../etc/passwd"
2. PARSER: parseListUnix.ts:100 extracts filename
└─> file.name = "../../../etc/passwd"
3. VALIDATION: parseListUnix.ts:101 checks
└─> if (name === "." || name === "..") ❌ (only filters exact matches)
└─> "../../../etc/passwd" !== "." && !== ".." ✅ PASSES
4. SINK: Client.ts:707 uses filename directly
└─
OSV
CVE-2026-27699: The `basic-ftp` FTP client library for Node
osv·2026-02-25·CVSS 9.8
CVE-2026-27699 [CRITICAL] CVE-2026-27699: The `basic-ftp` FTP client library for Node
The `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the `downloadToDir()` method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (`../`) that cause files to be written outside the intended download directory. Version 5.2.0 patches the issue.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-27699 basic-ftp: basic-ftp: File overwrite due to path traversal
bugzilla·2026-02-25·CVSS 9.8
CVE-2026-27699 [CRITICAL] CVE-2026-27699 basic-ftp: basic-ftp: File overwrite due to path traversal
CVE-2026-27699 basic-ftp: basic-ftp: File overwrite due to path traversal
The `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the `downloadToDir()` method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (`../`) that cause files to be written outside the intended download directory. Version 5.2.0 patches the issue.
Wiz
CVE-2026-27699 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-27699 [CRITICAL] CVE-2026-27699 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27699 :
JavaScript vulnerability analysis and mitigation
basic-ftp
downloadToDir()
../
Source : NVD
## 9.8
Score
Published February 25, 2026
Severity CRITICAL
CNA Score 9.1
Affected Technologies
JavaScript
Wolfi
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 26.4
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
langfuse-3
kibana-9.2
Sources
NVD
Chainguard Has Fix Added at: Mar 02, 2026
Debian 13, 14 Severity CRITICAL Has Fix Added at: Mar 02, 2026
Echo Severity CRITICAL Has Fix Added at: Mar 02, 2026
npm Severity CRITICAL Has Fix Added at: Mar 02, 2026
MinimOS Severity CRITICAL Has Fix Added at: Mar 02, 2026
Wolfi Has Fix Added at: Mar 02
2026-02-25
Published