CVE-2026-27699 Overview
The basic-ftp FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the downloadToDir() method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (../) that cause files to be written outside the intended download directory. This vulnerability allows attackers controlling a malicious FTP server to write arbitrary files to locations outside the designated download directory on the client system.
Critical Impact
Malicious FTP servers can exploit this path traversal flaw to write files anywhere on the client filesystem, potentially leading to remote code execution, configuration tampering, or complete system compromise.
Affected Products
- patrickjuchli basic-ftp versions prior to 5.2.0
- Node.js applications using vulnerable basic-ftp package
- Any service or application integrating basic-ftp for FTP downloads
Discovery Timeline
- 2026-02-25 - CVE CVE-2026-27699 published to NVD
- 2026-02-26 - Last updated in NVD database
Technical Details for CVE-2026-27699
Vulnerability Analysis
This path traversal vulnerability exists in the downloadToDir() method of the basic-ftp library. When a client connects to an FTP server and downloads files, the server provides a directory listing containing filenames. In vulnerable versions, the library does not properly validate or sanitize these filenames before using them to construct file paths on the local filesystem.
An attacker operating a malicious FTP server can craft directory listings containing filenames with path traversal sequences such as ../../../etc/cron.d/malicious or ../../../home/user/.bashrc. When the client processes these listings, the tainted filenames are concatenated directly with the target download directory, causing files to be written to arbitrary locations outside the intended directory.
Root Cause
The root cause is improper input validation of filenames received from the FTP server before they are used in filesystem operations. The vulnerable code directly joins the server-provided filename with the local download path using join() without first stripping or validating the filename component. The fix introduces the use of basename() to extract only the filename portion, effectively neutralizing any path traversal sequences.
Attack Vector
The attack requires the victim to connect to a malicious FTP server controlled by the attacker. This could occur through:
- Social engineering users to connect to a malicious server
- Compromising DNS to redirect FTP connections
- Man-in-the-middle attacks on unencrypted FTP connections
- Supplying malicious FTP server URLs in configuration or user input
Once connected, the malicious server responds to directory listing requests with crafted filenames containing ../ sequences. When the victim's application calls downloadToDir(), files are written outside the intended directory.
import { createReadStream, createWriteStream, mkdir, readdir, stat, open, close, unlink } from "fs"
-import { join } from "path"
+import { basename, join } from "path"
import { Readable, Writable } from "stream"
import { connect as connectTLS, ConnectionOptions as TLSConnectionOptions } from "tls"
import { promisify } from "util"
Source: GitHub Commit 2a2a0e6
The patch imports basename from the path module to sanitize filenames by extracting only the base filename component, stripping any directory path sequences including traversal attempts.
Detection Methods for CVE-2026-27699
Indicators of Compromise
- Unexpected files appearing in system directories outside of designated FTP download locations
- Files with suspicious names or content in sensitive directories like /etc/cron.d/, user home directories, or application config paths
- FTP connection logs showing connections to unfamiliar or suspicious FTP servers
- Application logs showing downloads of files with ../ sequences in their names
Detection Strategies
- Scan package.json and package-lock.json files for basic-ftp dependencies with versions below 5.2.0
- Implement software composition analysis (SCA) tools to identify vulnerable npm packages in CI/CD pipelines
- Monitor file creation events for paths that contain traversal patterns originating from FTP client processes
- Use endpoint detection to identify file writes outside expected directories during FTP operations
Monitoring Recommendations
- Enable file integrity monitoring on critical system directories and configuration files
- Log all FTP connections including destination servers, transferred filenames, and local write paths
- Alert on basic-ftp library usage in production environments until patching is confirmed
- Monitor for anomalous file creation patterns in system directories that correlate with FTP activity
How to Mitigate CVE-2026-27699
Immediate Actions Required
- Update the basic-ftp package to version 5.2.0 or later immediately
- Audit applications for usage of the downloadToDir() method with untrusted FTP servers
- Review filesystem permissions to limit write access from application processes
- Consider temporarily disabling FTP download functionality in production until patched
Patch Information
The vulnerability is fixed in basic-ftp version 5.2.0. The patch introduces proper filename sanitization using basename() to prevent path traversal attacks. For detailed patch information, see the GitHub Release v5.2.0 and the GitHub Security Advisory GHSA-5rq4-664w-9x2c.
Workarounds
- Validate and sanitize all filenames received from FTP servers before writing to disk if patching is not immediately possible
- Implement application-level filename validation to reject any filename containing ../ or absolute paths
- Use chroot or containerization to limit filesystem access for FTP client processes
- Only connect to trusted, known FTP servers until the library is updated
# Update basic-ftp to patched version
npm update basic-ftp@5.2.0
# Verify installed version
npm list basic-ftp
# Audit for vulnerabilities
npm audit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
