CVE-2026-27699

NameCVE-2026-27699
DescriptionThe `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the `downloadToDir()` method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (`../`) that cause files to be written outside the intended download directory. Version 5.2.0 patches the issue.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1129093

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-proxy-agents (PTS)trixie0~2024040606-6vulnerable
forky, sid0~2025070717+~cs15.2.7-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-proxy-agentssource(unstable)0~2025070717+~cs15.2.7-11129093

Notes

[trixie] - node-proxy-agents <no-dsa> (Minor issue, can be fixed via point release)
https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-5rq4-664w-9x2c
https://github.com/patrickjuchli/basic-ftp/commit/2a2a0e6514357b9eda07c2f8afbd3f04727a7cd9 (v5.2.0)
Search for package or bug name: Reporting problems