cbcvebase.

Patrickjuchli Basic-Ftp vulnerabilities

4 known vulnerabilities affecting patrickjuchli/basic-ftp.

Total CVEs
4
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH3

Vulnerabilities

Page 1 of 1
CVE-2026-27699P2CRITICALCVSS 9.8fixed in 5.2.02026-02-25
CVE-2026-27699 [CRITICAL] CWE-22 CVE-2026-27699: The `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in v The `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the `downloadToDir()` method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (`../`) that cause files to be written outside the intended download directory. Version 5.2.
ghsanvdosv
CVE-2026-39983P2HIGHCVSS 8.6fixed in 5.2.12026-04-09
CVE-2026-39983 [HIGH] CWE-93 CVE-2026-39983: basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via C basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences (\r\n) in file path parameters passed to high-level path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The library's protectWhitespace() helper only handles leading spaces and returns other path
ghsanvdosv
CVE-2026-44240P3HIGHCVSS 7.5fixed in 5.3.12026-05-12
CVE-2026-44240 [HIGH] CWE-400 CVE-2026-44240: basic-ftp is an FTP client for Node.js. Prior to 5.3.1, basic-ftp is vulnerable to client-side denia basic-ftp is an FTP client for Node.js. Prior to 5.3.1, basic-ftp is vulnerable to client-side denial of service when parsing FTP control-channel multiline responses. A malicious or compromised FTP server can send an unterminated multiline response during the initial FTP banner phase, before authentication. The client keeps appending attacker-controll
ghsanvd
CVE-2026-41324P3HIGHCVSS 7.5fixed in 5.3.02026-04-24
CVE-2026-41324 [HIGH] CWE-400 CVE-2026-41324: basic-ftp is an FTP client for Node.js. Versions prior to 5.3.0 are vulnerable to denial of service basic-ftp is an FTP client for Node.js. Versions prior to 5.3.0 are vulnerable to denial of service through unbounded memory growth while processing directory listings from a remote FTP server. A malicious or compromised server can send an extremely large or never-ending listing response to `Client.list()`, causing the client process to consume memory
nvd
Patrickjuchli Basic-Ftp vulnerabilities | cvebase