GHSA-5rq4-664w-9x2c

Опубликовано: 25 фев. 2026

Источник: github

Github: Прошло ревью

CVSS3: 9.1

Описание

Basic FTP has Path Traversal Vulnerability in its downloadToDir() method

The basic-ftp library contains a path traversal vulnerability in the downloadToDir() method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (../) that cause files to be written outside the intended download directory.

Source-to-Sink Flow

1. SOURCE: FTP server sends LIST response └─> "-rw-r--r-- 1 user group 1024 Jan 20 12:00 ../../../etc/passwd" 2. PARSER: parseListUnix.ts:100 extracts filename └─> file.name = "../../../etc/passwd" 3. VALIDATION: parseListUnix.ts:101 checks └─> if (name === "." || name === "..") ❌ (only filters exact matches) └─> "../../../etc/passwd" !== "." && !== ".." ✅ PASSES 4. SINK: Client.ts:707 uses filename directly └─> const localPath = join(localDirPath, file.name) └─> join("/safe/download", "../../../etc/passwd") └─> Result: "/safe/download/../../../etc/passwd" → resolves to "/etc/passwd" 5. FILE WRITE: Client.ts:512 opens file └─> fsOpen(localPath, "w") → writes to /etc/passwd (outside intended directory)

Vulnerable Code

File: src/Client.ts:707

protected async _downloadFromWorkingDir(localDirPath: string): Promise<void> { await ensureLocalDirectory(localDirPath) for (const file of await this.list()) { const localPath = join(localDirPath, file.name) // ⚠️ VULNERABLE // file.name comes from untrusted FTP server, no sanitization await this.downloadTo(localPath, file.name) } }

Root Cause: - Parser validation (parseListUnix.ts:101) only filters exact . or .. entries - No sanitization of ../ sequences in filenames

path.join() doesn't prevent traversal, fs.open() resolves paths

Impact

A malicious FTP server can: - Write files to arbitrary locations on the client filesystem - Overwrite critical system files (if user has write access) - Potentially achieve remote code execution

Affected Versions

Tested: v5.1.0
Likely: All versions (code pattern exists since initial implementation)

Mitigation

Workaround: Do not use downloadToDir() with untrusted FTP servers.

Fix: Sanitize filenames before use:

import { basename } from 'path' // In _downloadFromWorkingDir: const sanitizedName = basename(file.name) // Strip path components const localPath = join(localDirPath, sanitizedName)

Ссылки

Пакеты

Наименование

basic-ftp

npm

Затронутые версииВерсия исправления

< 5.2.0

5.2.0

EPSS

Процентиль: 25%

0.00087

Низкий

9.1 Critical

CVSS3

CVE ID

CVE-2026-27699

Дефекты

CWE-22

Связанные уязвимости

CVE-2026-27699

CVSS3: 9.1

ubuntu

около 1 месяца назад

The `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the `downloadToDir()` method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (`../`) that cause files to be written outside the intended download directory. Version 5.2.0 patches the issue.