VYPR
Critical severityNVD Advisory· Published Feb 25, 2026· Updated Feb 27, 2026

Basic FTP has Path Traversal Vulnerability in its downloadToDir() method

CVE-2026-27699

Description

The basic-ftp FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the downloadToDir() method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (../) that cause files to be written outside the intended download directory. Version 5.2.0 patches the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
basic-ftpnpm
< 5.2.05.2.0

Affected products

29

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.