FTP: File Transfer Pwnage - Analyzing CVE-2026-27699 in basic-ftp

FTP is the cockroach of internet protocols. It survives nuclear wars, modern firewall policies, and the scorn of every security engineer born after 1995. In the Node.js ecosystem, basic-ftp is the go-to library for interacting with these ancient beasts. It's simple, promise-based, and widely used for automated tasks like backing up databases or syncing assets.

But here is the problem with automation: it assumes everyone plays nice. When you connect your client to an FTP server and tell it to "download this directory," you are implicitly trusting that the server will send you... well, files inside that directory. You aren't expecting the server to reach out of the sandbox and stab you in the throat.

CVE-2026-27699 is exactly that stab. It’s a classic Path Traversal vulnerability that turns a standard file download operation into an arbitrary file write primitive. If your application uses basic-ftp to pull data from an untrusted (or compromised) source, your local filesystem is essentially open for business.

The vulnerability hides in plain sight within the _downloadFromWorkingDir method. This function is responsible for recursively downloading a directory from the server to your local machine. The logic seems sound on paper: list the files on the server, iterate through them, and save them locally.

Here is where it goes wrong: the library takes the filename provided by the server and feeds it directly into Node's path.join(). In Node.js, path.join('/safe/dir', '../../evil') resolves to /evil. It dutifully normalizes the path, interpreting the .. segments as instructions to go up the directory tree.

> [!WARNING] > The library failed to ask the most important question in file handling: "Does this file stay where I put it?"

By failing to sanitize the file.name returned by the FTP LIST command, basic-ftp became a 'confused deputy.' It willingly accepts a filename like ../../../../etc/passwd from the server and overwrites the system password file, thinking it's just doing its job.

Let's look at the code before the patch. This is from src/Client.ts. It’s short, readable, and dangerous.

// VULNERABLE CODE (< 5.2.0)
protected async _downloadFromWorkingDir(localDirPath: string): Promise<void> {
    await ensureLocalDirectory(localDirPath)
    // The server controls 'file.name'
    for (const file of await this.list()) {
        // FATAL FLAW: No validation on file.name before join
        const localPath = join(localDirPath, file.name)
        if (file.isDirectory) {
            await this.cd(file.name)
            // ... recursion ...
        } else {
            await this.downloadTo(createWriteStream(localPath), file.name)
        }
    }
}

The fix, introduced in version 5.2.0 (Commit 2a2a0e6514357b9eda07c2f8afbd3f04727a7cd9), is elegant in its simplicity. It uses path.basename() to verify that the filename provided by the server doesn't contain any directory separators.

// PATCHED CODE (5.2.0)
+ import { basename, join } from "path"
 
protected async _downloadFromWorkingDir(localDirPath: string): Promise<void> {
    await ensureLocalDirectory(localDirPath)
    for (const file of await this.list()) {
        // CHECK: Is the basename identical to the name?
        // If 'file.name' is '../foo', basename is 'foo'. mismatch -> block.
+       const hasInvalidName = !file.name || basename(file.name) !== file.name
+       if (hasInvalidName) {
+           this.ftp.log(`Invalid filename... skipping`)
+           continue
+       }
        const localPath = join(localDirPath, file.name)
        // ...
    }
}

If the server sends ../../evil.exe, basename returns evil.exe. Since ../../evil.exe !== evil.exe, the check fails, and the file is skipped. Simple, but effective.

To exploit this, you don't need fancy buffer overflows. You just need to be the server. This is a "Reverse Client" attack. The victim connects to us.

Scenario: A developer runs a script node backup-fetcher.js that connects to your FTP server to download logs.

1. The Trap: You set up a malicious FTP server (using Python's pyftpdlib with some modifications to allow raw raw responses).
2. The Bait: The victim authenticates and requests LIST.
3. The Switch: Your server responds with a forged directory listing:

   -rw-r--r--   1 root     root         1024 Feb 25 10:00 ../../../../../home/victim/.ssh/authorized_keys

4. The Execution: basic-ftp receives this line. It parses the filename as ../../../../../home/victim/.ssh/authorized_keys. It joins this with the user's download path (e.g., ./downloads).
5. The Pwn: The final path resolves to /home/victim/.ssh/authorized_keys. The client opens a write stream to that path. Your server then sends your public SSH key as the file content.

Boom. You now have SSH access to the developer's machine.

This vulnerability is rated CVSS 9.1 (Critical) for a reason. While it requires the victim to connect to a malicious server, the consequences are catastrophic.

• RCE: Overwriting .bashrc, .ssh/authorized_keys, or placing files in startup folders leads to immediate code execution.
• Data Corruption: An attacker could overwrite critical application configuration files (e.g., web.config, .env) to disable security features or break the application.
• Supply Chain Risk: If a build server uses basic-ftp to pull dependencies or assets from a compromised third-party FTP server, the build artifacts themselves could be backdoored.

This isn't just about reading files; it's about writing them anywhere the Node.js process has permission to write. If the script runs as root/admin (God forbid), you own the box.

The remediation is straightforward: Update basic-ftp to version 5.2.0 immediately.

If you cannot update for some reason (maybe you enjoy living dangerously), you must stop using the high-level downloadToDir() method. Instead, you would have to manually implement the directory listing and download logic, ensuring you sanitize every single filename before writing it to disk.

> [!TIP] > Developer Lesson: Never trust input from the network, even if it looks like a harmless file list. Treat every string from a socket as if it's trying to exploit you. Use path.basename() when handling filenames to ensure they are strictly filenames and not paths.

For security teams: Scan your repositories for package.json files containing "basic-ftp": "<5.2.0". This is a low-effort, high-impact fix.