Patrickjuchli Basic-Ftp vulnerabilities

CVE-2026-41324 [HIGH] CWE-400 CVE-2026-41324: basic-ftp is an FTP client for Node.js. Versions prior to 5.3.0 are vulnerable to denial of service basic-ftp is an FTP client for Node.js. Versions prior to 5.3.0 are vulnerable to denial of service through unbounded memory growth while processing directory listings from a remote FTP server. A malicious or compromised server can send an extremely large or never-ending listing response to `Client.list()`, causing the client process to consume memory

CVE-2026-39983 [HIGH] CWE-93 CVE-2026-39983: basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via C basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences (\r\n) in file path parameters passed to high-level path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The library's protectWhitespace() helper only handles leading spaces and returns other path

CVE-2026-27699 [CRITICAL] CWE-22 CVE-2026-27699: The `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in v The `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the `downloadToDir()` method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (`../`) that cause files to be written outside the intended download directory. Version 5.2.