[Pkg-javascript-devel] Bug#1129093: node-proxy-agents: CVE-2026-27699
Salvatore Bonaccorso
carnil at debian.org
Thu Feb 26 21:39:05 GMT 2026
Source: node-proxy-agents
Version: 0~2025070717-6
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for node-proxy-agents.
CVE-2026-27699[0]:
| The `basic-ftp` FTP client library for Node.js contains a path
| traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the
| `downloadToDir()` method. A malicious FTP server can send directory
| listings with filenames containing path traversal sequences (`../`)
| that cause files to be written outside the intended download
| directory. Version 5.2.0 patches the issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-27699
https://www.cve.org/CVERecord?id=CVE-2026-27699
[1] https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-5rq4-664w-9x2c
[2] https://github.com/patrickjuchli/basic-ftp/commit/2a2a0e6514357b9eda07c2f8afbd3f04727a7cd9
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-javascript-devel
mailing list