Description
The `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the `downloadToDir()` method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (`../`) that cause files to be written outside the intended download directory. Version 5.2.0 patches the issue.
Published: 2026-02-25
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote directory traversal allowing an attacker to write files outside the intended download location
Action: Immediate Patch
AI Analysis

Impact

The basic-ftp Node.js library contains a path traversal flaw in its downloadToDir() method, allowing a malicious FTP server to supply directory listings with filenames that include traversal sequences such as ../. When the client processes these listings, the files are written outside the intended download directory, potentially overwriting system files or creating arbitrary files. This flaw could compromise the integrity and confidentiality of the file system on the client machine, with a severity score of 9.1 on the CVSS scale.

Affected Systems

Vulnerable occur in all versions of basic-ftp prior to 5.2.0. The affected product is the Node.js FTP client library maintained by patrickjuchli. Any Node.js application that imports basic-ftp and invokes downloadToDir() against an FTP server is at risk; the library has been widely used in management tooling and automation scripts.

Risk and Exploitability

The condition for exploitation requires the attacker to control or manipulate the FTP server’s directory listings sent to the client. As the EPSS score is below 1%, the observed exploitation likelihood is currently low, but the high CVSS score and the absence of the vulnerability from the CISA KEV list suggest it is a critical vulnerability that could become targeted as interest grows. Remote attackers can trigger the flaw remotely by simply hosting an FTP service that serves malicious listings; no local code execution is required beyond the library’s standard use.

Generated by OpenCVE AI on April 16, 2026 at 16:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the basic-ftp library to version 5.2.0 or later, which contains the patch for this path traversal flaw.
  • Configure any trusted FTP servers to omit directory listings that contain traversal components such as ../, limiting the opportunity for the client to process unsafe paths.
  • If upgrading the library is not feasible, avoid using downloadToDir() and instead manually fetch files, sanitizing all filenames before writing them to disk.

Generated by OpenCVE AI on April 16, 2026 at 16:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5rq4-664w-9x2c Basic FTP has Path Traversal Vulnerability in its downloadToDir() method
History

Fri, 27 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:patrickjuchli:basic-ftp:*:*:*:*:*:node.js:*:*

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Patrickjuchli
Patrickjuchli basic-ftp
Vendors & Products Patrickjuchli
Patrickjuchli basic-ftp

Thu, 26 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 25 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Description The `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the `downloadToDir()` method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (`../`) that cause files to be written outside the intended download directory. Version 5.2.0 patches the issue.
Title Basic FTP has Path Traversal Vulnerability in its downloadToDir() method
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Patrickjuchli Basic-ftp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-27T17:04:33.751Z

Reserved: 2026-02-23T17:56:51.202Z

Link: CVE-2026-27699

cve-icon Vulnrichment

Updated: 2026-02-27T17:04:29.675Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T15:20:53.523

Modified: 2026-02-26T15:27:45.597

Link: CVE-2026-27699

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-25T14:58:56Z

Links: CVE-2026-27699 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:15:08Z

Weaknesses