CVE-2026-27699

Name of the Vulnerable Software and Affected Versions basic-ftp versions prior to 5.2.0

Description The basic-ftp FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in the downloadToDir() method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (../) that cause files to be written outside the intended download directory. The vulnerability resides in the parsing of filenames received from the FTP server, where insufficient validation allows directory traversal sequences to bypass security checks. This enables an attacker to craft directory listings that, when processed by the client, cause files to be written to arbitrary locations on the filesystem, potentially overwriting critical files or placing malicious files in sensitive locations. The vulnerable code is located in src/Client.ts:707, where the path.join() function is used without proper sanitization of the filename received from the FTP server.

Recommendations Update to version 5.2.0 or later. As a workaround, do not use the downloadToDir() method with untrusted FTP servers. Sanitize filenames before use by stripping path components using basename() from the 'path' module.