{"id":"GHSA-5rq4-664w-9x2c","summary":"Basic FTP has Path Traversal Vulnerability in its downloadToDir() method","details":"The `basic-ftp` library contains a path traversal vulnerability in the `downloadToDir()` method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (`../`) that cause files to be written outside the intended download directory.\n\n\n## Source-to-Sink Flow\n\n```\n1. SOURCE: FTP server sends LIST response\n└─\u003e \"-rw-r--r-- 1 user group 1024 Jan 20 12:00 ../../../etc/passwd\"\n\n2. PARSER: parseListUnix.ts:100 extracts filename\n└─\u003e file.name = \"../../../etc/passwd\"\n\n3. VALIDATION: parseListUnix.ts:101 checks\n└─\u003e if (name === \".\" || name === \"..\") ❌ (only filters exact matches)\n└─\u003e \"../../../etc/passwd\" !== \".\" && !== \"..\" ✅ PASSES\n\n4. SINK: Client.ts:707 uses filename directly\n└─\u003e const localPath = join(localDirPath, file.name)\n└─\u003e join(\"/safe/download\", \"../../../etc/passwd\")\n└─\u003e Result: \"/safe/download/../../../etc/passwd\" → resolves to \"/etc/passwd\"\n\n5. FILE WRITE: Client.ts:512 opens file\n└─\u003e fsOpen(localPath, \"w\") → writes to /etc/passwd (outside intended directory)\n```\n\n## Vulnerable Code\n\n**File**: `src/Client.ts:707`\n\n```typescript\nprotected async _downloadFromWorkingDir(localDirPath: string): Promise\u003cvoid\u003e {\nawait ensureLocalDirectory(localDirPath)\nfor (const file of await this.list()) {\nconst localPath = join(localDirPath, file.name) // ⚠️ VULNERABLE\n// file.name comes from untrusted FTP server, no sanitization\nawait this.downloadTo(localPath, file.name)\n}\n}\n```\n\n**Root Cause**:\n- Parser validation (`parseListUnix.ts:101`) only filters exact `.` or `..` entries\n- No sanitization of `../` sequences in filenames\n- `path.join()` doesn't prevent traversal, `fs.open()` resolves paths\n\n\n# Impact\n\nA malicious FTP server can:\n- Write files to arbitrary locations on the client filesystem\n- Overwrite critical system files (if user has write access)\n- Potentially achieve remote code execution\n\n## Affected Versions\n\n- **Tested**: v5.1.0\n- **Likely**: All versions (code pattern exists since initial implementation)\n\n## Mitigation\n\n**Workaround**: Do not use `downloadToDir()` with untrusted FTP servers.\n\n**Fix**: Sanitize filenames before use:\n\n```typescript\nimport { basename } from 'path'\n\n// In _downloadFromWorkingDir:\nconst sanitizedName = basename(file.name) // Strip path components\nconst localPath = join(localDirPath, sanitizedName)\n```","aliases":["CVE-2026-27699"],"modified":"2026-02-28T06:44:03.176640Z","published":"2026-02-25T22:34:26Z","related":["CGA-mqpg-9p2f-x355"],"database_specific":{"nvd_published_at":"2026-02-25T15:20:53Z","github_reviewed_at":"2026-02-25T22:34:26Z","severity":"CRITICAL","cwe_ids":["CWE-22"],"github_reviewed":true},"references":[{"type":"WEB","url":"https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-5rq4-664w-9x2c"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27699"},{"type":"WEB","url":"https://github.com/patrickjuchli/basic-ftp/commit/2a2a0e6514357b9eda07c2f8afbd3f04727a7cd9"},{"type":"PACKAGE","url":"https://github.com/patrickjuchli/basic-ftp"},{"type":"WEB","url":"https://github.com/patrickjuchli/basic-ftp/releases/tag/v5.2.0"}],"affected":[{"package":{"name":"basic-ftp","ecosystem":"npm","purl":"pkg:npm/basic-ftp"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"5.2.0"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-5rq4-664w-9x2c/GHSA-5rq4-664w-9x2c.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"}]}