Cyber Posture

CVE-2026-27699

CriticalPublic PoC

Published: 25 February 2026

Published
25 February 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0015 35.4th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

The `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the `downloadToDir()` method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (`../`) that cause files…

more

to be written outside the intended download directory. Version 5.2.0 patches the issue.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly addresses the CVE by requiring identification, reporting, and timely patching of the vulnerable basic-ftp library to version 5.2.0 or later.

SI-10 Information Input Validation good match
prevent

Prevents path traversal exploitation by enforcing validation of server-supplied filenames in the downloadToDir() method to block sequences like '../' before writing files.

RA-5 Vulnerability Monitoring and Scanning partial match
detect

Enables detection of the vulnerable basic-ftp library versions through regular vulnerability scanning and monitoring.

Security SummaryAI

CVE-2026-27699 is a path traversal vulnerability (CWE-22) in the `basic-ftp` FTP client library for Node.js, affecting versions prior to 5.2.0. The flaw exists in the `downloadToDir()` method, where a malicious FTP server can send directory listings with filenames containing path traversal sequences such as `../`. This causes downloaded files to be written outside the intended download directory on the client side.

The vulnerability can be exploited by any attacker who controls an FTP server to which a victim application connects using the affected library. Per the CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H), exploitation is achievable remotely with low complexity, no privileges, and no user interaction. Attackers can achieve high integrity and availability impacts by writing files to arbitrary locations outside the specified directory on the victim's filesystem.

Mitigation is available in `basic-ftp` version 5.2.0, which patches the issue. Security advisories recommend updating to this version or later. Relevant resources include the GitHub security advisory at https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-5rq4-664w-9x2c, release notes at https://github.com/patrickjuchli/basic-ftp/releases/tag/v5.2.0, and the patching commit at https://github.com/patrickjuchli/basic-ftp/commit/2a2a0e6514357b9eda07c2f8afbd3f04727a7cd9.

Details

CWE(s)
CWE-22

Affected Products

patrickjuchli
basic-ftp
≤ 5.2.0

MITRE ATT&CK Enterprise TechniquesAI

T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
attack.mitre.org →
Why these techniques?

The path traversal vulnerability enables a malicious FTP server to write downloaded files to arbitrary locations on the client filesystem, directly facilitating ingress of tools or malware over FTP (T1105).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References