Path Traversal Vulnerability in basic-ftp Library for Node.js
CVE-2026-27699

9.1CRITICAL

Key Information:

Vendor

Patrickjuchli

Status
Basic-ftp
Vendor
CVE Published:
25 February 2026

What is CVE-2026-27699?

The basic-ftp FTP client library for Node.js has a vulnerability that allows malicious FTP servers to exploit the 'downloadToDir()' method through path traversal sequences. This can lead to files being written outside the designated download directory if the server sends directory listings containing these sequences. The vulnerability affects all versions prior to 5.2.0, with the issue being rectified in version 5.2.0.

Affected Version(s)

basic-ftp < 5.2.0

References

https://github.com/patrickjuchli/basic-ftp/security/advis...
x_refsource_CONFIRM
https://github.com/patrickjuchli/basic-ftp/commit/2a2a0e6...
x_refsource_MISC
https://github.com/patrickjuchli/basic-ftp/releases/tag/v...
x_refsource_MISC

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.