Skip to content

fix: upgrade basic-ftp to 5.2.0 (CVE-2026-27699)#6320

Open
orbisai0security wants to merge 1 commit into
FlowiseAI:mainfrom
orbisai0security:fix-cve-2026-27699-basic-ftp
Open

fix: upgrade basic-ftp to 5.2.0 (CVE-2026-27699)#6320
orbisai0security wants to merge 1 commit into
FlowiseAI:mainfrom
orbisai0security:fix-cve-2026-27699-basic-ftp

Conversation

@orbisai0security

@orbisai0security orbisai0security commented Apr 30, 2026

Copy link
Copy Markdown

Summary

Upgrade basic-ftp from 5.0.5 to 5.2.0 to fix CVE-2026-27699.

Vulnerability

Field Value
ID CVE-2026-27699
Severity CRITICAL
Scanner trivy
Rule CVE-2026-27699
File pnpm-lock.yaml
Assessment Likely exploitable

Description: basic-ftp: basic-ftp: File overwrite due to path traversal

Evidence

Scanner confirmation: trivy rule CVE-2026-27699 flagged this pattern.

Production code: This file is in the production codebase, not test-only code.

Threat Model Context

This is a Node.js library - vulnerabilities affect downstream consumers who use this package.

Changes

  • package.json
  • pnpm-lock.yaml

Verification

  • Build passes
  • Scanner re-scan confirms fix
  • LLM code review passed

This change addresses a pattern flagged by static analysis. The code path handles user-influenced input and the fix reduces the attack surface against both manual and automated exploitation.


Automated security fix by OrbisAI Security

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request adds the basic-ftp dependency to the root package.json. Feedback indicates that for this pnpm monorepo, version overrides for transitive dependencies should be placed in the pnpm.overrides section rather than the root dependencies to maintain project standards.

Comment thread package.json
Comment on lines +136 to 140
},
"dependencies": {
"basic-ftp": "5.2.0"
}
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-medium medium

While this change would resolve the vulnerability, adding dependencies directly to the root package.json is not a standard practice in this pnpm monorepo. For transitive dependencies like basic-ftp, the idiomatic way to enforce a version is by using pnpm.overrides. This keeps the root package.json clean and clearly states the intention of overriding a dependency version across the workspace. Additionally, please verify the maintenance and security status of basic-ftp@5.2.0 to ensure the vulnerability data is not outdated; for instance, a library reported as deprecated might have resumed maintenance. Please revert this change and instead add "basic-ftp": "5.2.0" to the pnpm.overrides section.

    }
}
References
  1. Verify the maintenance and security status of dependencies flagged by automated tools, as this information may be outdated. A library reported as deprecated might have resumed maintenance.

@orbisai0security orbisai0security force-pushed the fix-cve-2026-27699-basic-ftp branch 14 times, most recently from 8508cca to bf0c3cf Compare May 31, 2026 14:21
@orbisai0security orbisai0security force-pushed the fix-cve-2026-27699-basic-ftp branch 6 times, most recently from 824a42f to bf8903b Compare July 5, 2026 12:25
Automated dependency upgrade by OrbisAI Security
@orbisai0security orbisai0security force-pushed the fix-cve-2026-27699-basic-ftp branch from bf8903b to f315384 Compare July 5, 2026 18:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant