The vulnerability CVE-2026-27699 affects the basic-ftp library, a popular FTP client implementation for Node.js. It arises from improper limitation of pathname to a restricted directory (CWE-22) in the downloadToDir() method. When an FTP client downloads files, it relies on the server's directory listing to determine filenames. A malicious FTP server can craft filenames containing path traversal sequences such as '../' to escape the intended download directory. This causes the client to write files outside the designated folder, potentially overwriting critical system or application files or placing malicious files in sensitive locations. The vulnerability does not require any authentication or user interaction, making it remotely exploitable by any attacker controlling an FTP server. The flaw impacts all versions of basic-ftp prior to 5.2.0, which includes many applications and automated systems relying on this library for FTP operations. The vulnerability has a CVSS v3.1 score of 9.1, reflecting its critical nature with network attack vector, low attack complexity, no privileges required, and no user interaction needed. The impact includes integrity and availability compromise, as arbitrary files can be overwritten or created. The issue was publicly disclosed and patched in version 5.2.0, but no known exploits have been reported in the wild to date.

The primary impact of this vulnerability is the potential for an attacker controlling an FTP server to overwrite or create arbitrary files on the client system running the vulnerable basic-ftp library. This can lead to severe consequences including corruption or deletion of critical application data, insertion of malicious code or backdoors, disruption of service due to corrupted files, and potential privilege escalation if critical system files are overwritten. Organizations relying on automated FTP downloads for software updates, data ingestion, or backup processes are particularly at risk. The vulnerability affects the integrity and availability of client systems and data. Since exploitation requires only connecting to a malicious FTP server, supply chain attacks or man-in-the-middle scenarios where an attacker can redirect FTP connections are also possible. The widespread use of Node.js and the basic-ftp library in various industries increases the scope of affected systems globally.

1. Upgrade all instances of the basic-ftp library to version 5.2.0 or later, where the vulnerability is patched. 2. Implement strict validation and sanitization of filenames received from FTP servers, ensuring no path traversal sequences are allowed before writing files. 3. Use sandboxed or containerized environments for FTP client operations to limit the impact of potential file overwrites. 4. Employ network controls to restrict FTP connections to trusted servers only, minimizing exposure to malicious servers. 5. Monitor file system changes in directories used for FTP downloads to detect unexpected file creations or modifications. 6. Consider using alternative secure file transfer protocols such as SFTP or FTPS that provide better integrity and authentication guarantees. 7. Educate development teams about secure handling of external input, especially filenames and paths, to prevent similar vulnerabilities.