CVE-2026-27699
Published: 25 February 2026
Summary
CVE-2026-27699 is a critical-severity Path Traversal (CWE-22) vulnerability in Patrickjuchli Basic-Ftp. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Ingress Tool Transfer (T1105); ranked at the 35.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the CVE by requiring identification, reporting, and timely patching of the vulnerable basic-ftp library to version 5.2.0 or later.
Prevents path traversal exploitation by enforcing validation of server-supplied filenames in the downloadToDir() method to block sequences like '../' before writing files.
Enables detection of the vulnerable basic-ftp library versions through regular vulnerability scanning and monitoring.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The path traversal vulnerability enables a malicious FTP server to write downloaded files to arbitrary locations on the client filesystem, directly facilitating ingress of tools or malware over FTP (T1105).
NVD Description
The `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the `downloadToDir()` method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (`../`) that cause files…
more
to be written outside the intended download directory. Version 5.2.0 patches the issue.
Deeper analysisAI
CVE-2026-27699 is a path traversal vulnerability (CWE-22) in the `basic-ftp` FTP client library for Node.js, affecting versions prior to 5.2.0. The flaw exists in the `downloadToDir()` method, where a malicious FTP server can send directory listings with filenames containing path traversal sequences such as `../`. This causes downloaded files to be written outside the intended download directory on the client side.
The vulnerability can be exploited by any attacker who controls an FTP server to which a victim application connects using the affected library. Per the CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H), exploitation is achievable remotely with low complexity, no privileges, and no user interaction. Attackers can achieve high integrity and availability impacts by writing files to arbitrary locations outside the specified directory on the victim's filesystem.
Mitigation is available in `basic-ftp` version 5.2.0, which patches the issue. Security advisories recommend updating to this version or later. Relevant resources include the GitHub security advisory at https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-5rq4-664w-9x2c, release notes at https://github.com/patrickjuchli/basic-ftp/releases/tag/v5.2.0, and the patching commit at https://github.com/patrickjuchli/basic-ftp/commit/2a2a0e6514357b9eda07c2f8afbd3f04727a7cd9.
Details
- CWE(s)