Critical severityNVD Advisory· Published Feb 25, 2026· Updated Feb 27, 2026
Basic FTP has Path Traversal Vulnerability in its downloadToDir() method
CVE-2026-27699
Description
The basic-ftp FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the downloadToDir() method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (../) that cause files to be written outside the intended download directory. Version 5.2.0 patches the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
basic-ftpnpm | < 5.2.0 | 5.2.0 |
Affected products
1- Range: < 5.2.0
Patches
12a2a0e651435Skip invalid filenames
1 file changed · +7 −1
src/Client.ts+7 −1 modified@@ -1,5 +1,5 @@ import { createReadStream, createWriteStream, mkdir, readdir, stat, open, close, unlink } from "fs" -import { join } from "path" +import { basename, join } from "path" import { Readable, Writable } from "stream" import { connect as connectTLS, ConnectionOptions as TLSConnectionOptions } from "tls" import { promisify } from "util" @@ -704,6 +704,12 @@ export class Client { protected async _downloadFromWorkingDir(localDirPath: string): Promise<void> { await ensureLocalDirectory(localDirPath) for (const file of await this.list()) { + const hasInvalidName = !file.name || basename(file.name) !== file.name + if (hasInvalidName) { + const safeName = JSON.stringify(file.name) + this.ftp.log(`Invalid filename from server listing, will skip file. (${safeName})`) + continue + } const localPath = join(localDirPath, file.name) if (file.isDirectory) { await this.cd(file.name)
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-5rq4-664w-9x2cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-27699ghsaADVISORY
- github.com/patrickjuchli/basic-ftp/commit/2a2a0e6514357b9eda07c2f8afbd3f04727a7cd9ghsax_refsource_MISCWEB
- github.com/patrickjuchli/basic-ftp/releases/tag/v5.2.0ghsax_refsource_MISCWEB
- github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-5rq4-664w-9x2cghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.