Critical Path Traversal Flaw in basic-ftp Library Exposes Apps to Remote Code Execution

A critical path traversal vulnerability in the widely used `basic-ftp` Node.js library has been disclosed, allowing a malicious FTP server to write files anywhere on a victim's system. The flaw, tracked as CVE-2026-27699, resides in the library's `downloadToDir()` method. By exploiting this, an attacker could achieve arbitrary file write, a critical stepping stone that often leads to full remote code execution on the affected application.

The vulnerability is present in versions prior to 5.2.0. The issue stems from insufficient sanitization of file paths received from the FTP server. When an application uses the vulnerable `downloadToDir()` function, a malicious server can respond with directory traversal sequences (like `../../../`), tricking the client into writing downloaded files outside the intended, isolated directory. This bypasses security boundaries and directly threatens the integrity of the host system.

This discovery triggers urgent scrutiny for any application or service that integrates the `basic-ftp` client for automated file transfers. The risk is particularly acute for systems that download files from untrusted or publicly accessible FTP servers. The maintainers have released version 5.2.0 with a fix, making an immediate minor version upgrade from 5.0.5 or earlier a critical security imperative to mitigate the potential for severe compromise.