CVE-2026-27699 is a path traversal vulnerability (CWE-22) affecting the basic-ftp library for Node.js, specifically in versions prior to 5.2.0. The vulnerability resides in the downloadToDir() method, which is designed to download files from an FTP server into a specified directory. However, the method does not properly sanitize or restrict filenames received from the FTP server. A malicious FTP server can exploit this by sending directory listings with filenames containing path traversal sequences such as '../'. When the client processes these filenames, it writes files outside the intended download directory, potentially overwriting or creating files anywhere on the client filesystem where the process has write permissions. This can lead to integrity and availability impacts, including overwriting critical files or placing malicious files that could be executed later. The vulnerability requires no authentication or user interaction, making it remotely exploitable by any attacker controlling an FTP server. The CVSS v3.1 base score is 9.1 (critical), reflecting the ease of exploitation and severe impact. The issue was publicly disclosed on February 25, 2026, and fixed in basic-ftp version 5.2.0. No known exploits in the wild have been reported yet, but the high severity warrants immediate attention. This vulnerability is particularly relevant for applications and services that rely on basic-ftp for automated FTP file transfers, especially in environments where the FTP server may not be fully trusted.

The vulnerability allows a malicious FTP server to write files outside the intended directory on the client system, potentially overwriting critical system or application files. This can lead to unauthorized modification or deletion of files, causing data integrity loss and service disruption. In some scenarios, an attacker could place malicious executables or scripts, leading to further compromise such as remote code execution or privilege escalation. Since the vulnerability requires no authentication or user interaction, any client connecting to a malicious or compromised FTP server is at risk. Organizations using basic-ftp in automated workflows or in environments with untrusted FTP servers face significant risk of supply chain attacks or targeted sabotage. The impact spans confidentiality (due to potential data corruption), integrity, and availability, making it a critical threat to operational continuity and security.

1. Immediately upgrade all instances of the basic-ftp library to version 5.2.0 or later, where the vulnerability is patched. 2. Implement strict validation and sanitization of all filenames received from FTP servers, ensuring no path traversal sequences are allowed. 3. Run FTP client processes with the least privilege necessary, restricting filesystem write permissions to the intended download directories only. 4. Employ application-level sandboxing or containerization to limit the impact of any unauthorized file writes. 5. Monitor file system changes in directories used for FTP downloads to detect unexpected file creations or modifications. 6. Where possible, avoid connecting to untrusted FTP servers or use secure alternatives such as SFTP or FTPS with strict server validation. 7. Incorporate integrity checks on downloaded files to detect tampering. 8. Educate developers and DevOps teams about this vulnerability to ensure secure coding and deployment practices.