cbcvebase.
CVE-2026-27699
published 2026-02-25

CVE-2026-27699: The `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the `downloadToDir()` method. A…

PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.53%
40.6th percentile
The `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the `downloadToDir()` method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (`../`) that cause files to be written outside the intended download directory. Version 5.2.0 patches the issue.

Affected

3 ranges
VendorProductVersion rangeFixed in
debiannode-proxy-agents< node-proxy-agents 0~2025070717+~cs15.2.7-1 (forky)node-proxy-agents 0~2025070717+~cs15.2.7-1 (forky)
patrickjuchlibasic-ftp< 5.2.05.2.0
patrickjuchlibasic-ftp>= 0 < 5.2.05.2.0

Detection & IOCsextracted from sources · hover to see the quote

  • Detect path traversal sequences in FTP directory listing filenames sent by a server to a basic-ftp client
  • Monitor for unexpected file writes outside the intended download directory when the `downloadToDir()` method is invoked in basic-ftp versions prior to 5.2.0
  • ·Exploitation impact is scoped to the permissions of the process running basic-ftp; arbitrary file overwrites are limited to what the active user can access
  • ·The vulnerability only affects basic-ftp versions prior to 5.2.0; upgrading to 5.2.0 fully remediates the issue

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.1CRITICAL
vendor_redhat9.1CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.