Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.1
Basic FTP Library Allows Malicious FTP Server to Access Sensitive Files
CVE-2026-27699
GHSA-5rq4-664w-9x2c
Summary
The Basic FTP library has a vulnerability that allows a malicious FTP server to access sensitive files outside the intended download directory. This can happen when a malicious server sends a directory listing with filenames containing path traversal sequences. To protect against this, update your Basic FTP library to a fixed version or modify the affected code to properly sanitize the filenames before writing to the file system.
What to do
- Update patrickjuchli basic-ftp to version 5.2.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| patrickjuchli | basic-ftp | <= 5.2.0 | 5.2.0 |
| patrickjuchli | basic-ftp | <= 5.2.0 | – |
Original title
Basic FTP has Path Traversal Vulnerability in its downloadToDir() method
Original description
The `basic-ftp` library contains a path traversal vulnerability in the `downloadToDir()` method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (`../`) that cause files to be written outside the intended download directory.
## Source-to-Sink Flow
```
1. SOURCE: FTP server sends LIST response
└─> "-rw-r--r-- 1 user group 1024 Jan 20 12:00 ../../../etc/passwd"
2. PARSER: parseListUnix.ts:100 extracts filename
└─> file.name = "../../../etc/passwd"
3. VALIDATION: parseListUnix.ts:101 checks
└─> if (name === "." || name === "..") ❌ (only filters exact matches)
└─> "../../../etc/passwd" !== "." && !== ".." ✅ PASSES
4. SINK: Client.ts:707 uses filename directly
└─> const localPath = join(localDirPath, file.name)
└─> join("/safe/download", "../../../etc/passwd")
└─> Result: "/safe/download/../../../etc/passwd" → resolves to "/etc/passwd"
5. FILE WRITE: Client.ts:512 opens file
└─> fsOpen(localPath, "w") → writes to /etc/passwd (outside intended directory)
```
## Vulnerable Code
**File**: `src/Client.ts:707`
```typescript
protected async _downloadFromWorkingDir(localDirPath: string): Promise<void> {
await ensureLocalDirectory(localDirPath)
for (const file of await this.list()) {
const localPath = join(localDirPath, file.name) // ⚠️ VULNERABLE
// file.name comes from untrusted FTP server, no sanitization
await this.downloadTo(localPath, file.name)
}
}
```
**Root Cause**:
- Parser validation (`parseListUnix.ts:101`) only filters exact `.` or `..` entries
- No sanitization of `../` sequences in filenames
- `path.join()` doesn't prevent traversal, `fs.open()` resolves paths
# Impact
A malicious FTP server can:
- Write files to arbitrary locations on the client filesystem
- Overwrite critical system files (if user has write access)
- Potentially achieve remote code execution
## Affected Versions
- **Tested**: v5.1.0
- **Likely**: All versions (code pattern exists since initial implementation)
## Mitigation
**Workaround**: Do not use `downloadToDir()` with untrusted FTP servers.
**Fix**: Sanitize filenames before use:
```typescript
import { basename } from 'path'
// In _downloadFromWorkingDir:
const sanitizedName = basename(file.name) // Strip path components
const localPath = join(localDirPath, sanitizedName)
```
## Source-to-Sink Flow
```
1. SOURCE: FTP server sends LIST response
└─> "-rw-r--r-- 1 user group 1024 Jan 20 12:00 ../../../etc/passwd"
2. PARSER: parseListUnix.ts:100 extracts filename
└─> file.name = "../../../etc/passwd"
3. VALIDATION: parseListUnix.ts:101 checks
└─> if (name === "." || name === "..") ❌ (only filters exact matches)
└─> "../../../etc/passwd" !== "." && !== ".." ✅ PASSES
4. SINK: Client.ts:707 uses filename directly
└─> const localPath = join(localDirPath, file.name)
└─> join("/safe/download", "../../../etc/passwd")
└─> Result: "/safe/download/../../../etc/passwd" → resolves to "/etc/passwd"
5. FILE WRITE: Client.ts:512 opens file
└─> fsOpen(localPath, "w") → writes to /etc/passwd (outside intended directory)
```
## Vulnerable Code
**File**: `src/Client.ts:707`
```typescript
protected async _downloadFromWorkingDir(localDirPath: string): Promise<void> {
await ensureLocalDirectory(localDirPath)
for (const file of await this.list()) {
const localPath = join(localDirPath, file.name) // ⚠️ VULNERABLE
// file.name comes from untrusted FTP server, no sanitization
await this.downloadTo(localPath, file.name)
}
}
```
**Root Cause**:
- Parser validation (`parseListUnix.ts:101`) only filters exact `.` or `..` entries
- No sanitization of `../` sequences in filenames
- `path.join()` doesn't prevent traversal, `fs.open()` resolves paths
# Impact
A malicious FTP server can:
- Write files to arbitrary locations on the client filesystem
- Overwrite critical system files (if user has write access)
- Potentially achieve remote code execution
## Affected Versions
- **Tested**: v5.1.0
- **Likely**: All versions (code pattern exists since initial implementation)
## Mitigation
**Workaround**: Do not use `downloadToDir()` with untrusted FTP servers.
**Fix**: Sanitize filenames before use:
```typescript
import { basename } from 'path'
// In _downloadFromWorkingDir:
const sanitizedName = basename(file.name) // Strip path components
const localPath = join(localDirPath, sanitizedName)
```
nvd CVSS3.1
9.8
Vulnerability type
CWE-22
Path Traversal
- https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-5rq4-664w-9x... Exploit Vendor Advisory Mitigation
- https://nvd.nist.gov/vuln/detail/CVE-2026-27699
- https://github.com/advisories/GHSA-5rq4-664w-9x2c
- https://github.com/patrickjuchli/basic-ftp/commit/2a2a0e6514357b9eda07c2f8afbd3f... Patch
- https://github.com/patrickjuchli/basic-ftp/releases/tag/v5.2.0 Release Notes
Published: 25 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026