Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2026-27699

Опубликовано: 25 фев. 2026
Источник: redhat
CVSS3: 7.5

Описание

The basic-ftp FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the downloadToDir() method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (../) that cause files to be written outside the intended download directory. Version 5.2.0 patches the issue.

A flaw was found in basic-ftp, an FTP client library. A malicious FTP server can exploit a path traversal vulnerability (CWE-22) within the downloadToDir() method. This allows the server to send directory listings containing special sequences that trick the client into writing files to unintended locations on the system. Such an attack could lead to unauthorized file creation or modification, potentially compromising the integrity of the affected system.

Отчет

In default configurations Red Hat on products affected applications do not allow for arbitrary file overwrites. The files which may be overwritten are scoped to the active user permissions that the process is executing with.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-22
https://bugzilla.redhat.com/show_bug.cgi?id=2442644basic-ftp: basic-ftp: File overwrite due to path traversal

7.5 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2026-27699

CVSS3: 9.1
ubuntu
около 1 месяца назад

The `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the `downloadToDir()` method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (`../`) that cause files to be written outside the intended download directory. Version 5.2.0 patches the issue.

nvd логотип

CVE-2026-27699

CVSS3: 9.1
nvd
около 1 месяца назад

The `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the `downloadToDir()` method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (`../`) that cause files to be written outside the intended download directory. Version 5.2.0 patches the issue.

debian логотип

CVE-2026-27699

CVSS3: 9.1
debian
около 1 месяца назад

The `basic-ftp` FTP client library for Node.js contains a path travers ...

github логотип

GHSA-5rq4-664w-9x2c

CVSS3: 9.1
github
около 1 месяца назад

Basic FTP has Path Traversal Vulnerability in its downloadToDir() method

7.5 High

CVSS3