{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27699", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-23T17:56:51.202Z", "datePublished": "2026-02-25T14:58:56.815Z", "dateUpdated": "2026-02-27T17:04:33.751Z"}, "containers": {"cna": {"title": "Basic FTP has Path Traversal Vulnerability in its downloadToDir() method", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-5rq4-664w-9x2c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-5rq4-664w-9x2c"}, {"name": "https://github.com/patrickjuchli/basic-ftp/commit/2a2a0e6514357b9eda07c2f8afbd3f04727a7cd9", "tags": ["x_refsource_MISC"], "url": "https://github.com/patrickjuchli/basic-ftp/commit/2a2a0e6514357b9eda07c2f8afbd3f04727a7cd9"}, {"name": "https://github.com/patrickjuchli/basic-ftp/releases/tag/v5.2.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/patrickjuchli/basic-ftp/releases/tag/v5.2.0"}], "affected": [{"vendor": "patrickjuchli", "product": "basic-ftp", "versions": [{"version": "< 5.2.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-25T14:58:56.815Z"}, "descriptions": [{"lang": "en", "value": "The `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the `downloadToDir()`\u00a0method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (`../`) that cause files to be written outside the intended download directory. Version 5.2.0 patches the issue."}], "source": {"advisory": "GHSA-5rq4-664w-9x2c", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-27T17:04:25.002414Z", "id": "CVE-2026-27699", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T17:04:33.751Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27699", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-27T17:04:25.002414Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T17:04:29.675Z"}}], "cna": {"title": "Basic FTP has Path Traversal Vulnerability in its downloadToDir() method", "source": {"advisory": "GHSA-5rq4-664w-9x2c", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "patrickjuchli", "product": "basic-ftp", "versions": [{"status": "affected", "version": "< 5.2.0"}]}], "references": [{"url": "https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-5rq4-664w-9x2c", "name": "https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-5rq4-664w-9x2c", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/patrickjuchli/basic-ftp/commit/2a2a0e6514357b9eda07c2f8afbd3f04727a7cd9", "name": "https://github.com/patrickjuchli/basic-ftp/commit/2a2a0e6514357b9eda07c2f8afbd3f04727a7cd9", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/patrickjuchli/basic-ftp/releases/tag/v5.2.0", "name": "https://github.com/patrickjuchli/basic-ftp/releases/tag/v5.2.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "The `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the `downloadToDir()`\u00a0method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (`../`) that cause files to be written outside the intended download directory. Version 5.2.0 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-25T14:58:56.815Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27699", "state": "PUBLISHED", "dateUpdated": "2026-02-27T17:04:33.751Z", "dateReserved": "2026-02-23T17:56:51.202Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-25T14:58:56.815Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:patrickjuchli:basic-ftp:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "422197F2-36F3-496A-BA4B-09EF41898163", "versionEndExcluding": "5.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the `downloadToDir()`\u00a0method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (`../`) that cause files to be written outside the intended download directory. Version 5.2.0 patches the issue."}], "id": "CVE-2026-27699", "lastModified": "2026-02-26T15:27:45.597", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-25T15:20:53.523", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/patrickjuchli/basic-ftp/commit/2a2a0e6514357b9eda07c2f8afbd3f04727a7cd9"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/patrickjuchli/basic-ftp/releases/tag/v5.2.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory", "Mitigation"], "url": "https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-5rq4-664w-9x2c"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "basic-ftp: basic-ftp: File overwrite due to path traversal", "id": "2442644", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2442644"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "status": "draft"}, "cwe": "CWE-22", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-27699", "public_date": "2026-02-25T14:58:56Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-27699\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27699\nhttps://github.com/patrickjuchli/basic-ftp/commit/2a2a0e6514357b9eda07c2f8afbd3f04727a7cd9\nhttps://github.com/patrickjuchli/basic-ftp/releases/tag/v5.2.0\nhttps://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-5rq4-664w-9x2c"], "statement": "In default configurations Red Hat on products affected applications do not allow for arbitrary file overwrites. The files which may be overwritten are scoped to the active user permissions that the process is executing with.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.2.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "basic-ftp", "source": "cna", "vendor": "patrickjuchli"}, "product": "basic-ftp", "vendor": "patrickjuchli"}], "analysis": {"en": {"generated_at": "2026-04-16T16:13:07.614736+00:00", "value": {"mitigation_remediation": ["Upgrade the basic-ftp library to version 5.2.0 or later, which contains the patch for this path traversal flaw.", "Configure any trusted FTP servers to omit directory listings that contain traversal components such as ../, limiting the opportunity for the client to process unsafe paths.", "If upgrading the library is not feasible, avoid using downloadToDir() and instead manually fetch files, sanitizing all filenames before writing them to disk."], "summary": {"action": "Immediate Patch", "impact": "Remote directory traversal allowing an attacker to write files outside the intended download location"}, "threat_synthesis": {"affected_systems": "Vulnerable occur in all versions of basic-ftp prior to 5.2.0. The affected product is the Node.js FTP client library maintained by patrickjuchli. Any Node.js application that imports basic-ftp and invokes downloadToDir() against an FTP server is at risk; the library has been widely used in management tooling and automation scripts.", "description_and_impact": "The basic-ftp Node.js library contains a path traversal flaw in its downloadToDir() method, allowing a malicious FTP server to supply directory listings with filenames that include traversal sequences such as ../. When the client processes these listings, the files are written outside the intended download directory, potentially overwriting system files or creating arbitrary files. This flaw could compromise the integrity and confidentiality of the file system on the client machine, with a severity score of 9.1 on the CVSS scale.", "risk_and_exploitability": "The condition for exploitation requires the attacker to control or manipulate the FTP server\u2019s directory listings sent to the client. As the EPSS score is below 1%, the observed exploitation likelihood is currently low, but the high CVSS score and the absence of the vulnerability from the CISA KEV list suggest it is a critical vulnerability that could become targeted as interest grows. Remote attackers can trigger the flaw remotely by simply hosting an FTP service that serves malicious listings; no local code execution is required beyond the library\u2019s standard use."}}}}, "created": "2026-02-26T13:16:00.735949+00:00", "updated": "2026-04-16T16:15:08.477080+00:00", "vendors": ["patrickjuchli", "patrickjuchli$PRODUCT$basic-ftp"]}