9.6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-26299

GHSA ID

GHSA-pmw4-jgxx-pcq9

EPSS Score

0.71995%

CWE

CWE-22

Published

2/10/2021

Updated

2/1/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-26299

CVE-2020-26299:
File System Bounds Escape

Impact

Clients of FTP servers utilizing ftp-srv hosted on Windows machines can escape the FTP user's defined root folder using the expected FTP commands, for example, CWD and UPDR.

Background

When windows separators exist within the path (\), path.resolve leaves the upper pointers intact and allows the user to move beyond the root folder defined for that user. We did not take that into account when creating the path resolve function.

Screen Shot 2020-12-15 at 6 42 52 PM

Patches

None at the moment.

Workarounds

There are no workarounds for windows servers. Hosting the server on a different OS mitigates the issue.

References

Issues: https://github.com/autovance/ftp-srv/issues/167 https://github.com/autovance/ftp-srv/issues/225

For more information

If you have any questions or comments about this advisory: Open an issue at https://github.com/autovance/ftp-srv. Please email us directly; security@autovance.com.

(GitHub Advisory)

9.6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-26299

GHSA ID

GHSA-pmw4-jgxx-pcq9

EPSS Score

0.71995%

CWE

CWE-22

Published

2/10/2021

Updated

2/1/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
ftp-srv	npm	< 4.4.0	4.4.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from how path resolution was handled in Windows environments. The commit 457b859 shows critical changes to the _resolvePath function in src/fs.js, including adding Windows separator replacement and improved path normalization. The original implementation didn't properly sanitize Windows-style paths before passing to path.resolve(), which preserves parent directory references (..) when using backslashes. This allowed clients to escape the root directory using commands like CWD with Windows-style path separators.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *li*nts o* *TP s*rv*rs utilizin* `*tp-srv` *ost** on Win*ows m***in*s **n *s**p* t** *TP us*r's ***in** root *ol**r usin* t** *xp**t** *TP *omm*n*s, *or *x*mpl*, `*W*` *n* `UP*R`. ### ***k*roun* W**n win*ows s*p*r*tors *xist wit*in t**

Reasoning

T** vuln*r**ility st*ms *rom *ow p*t* r*solution w*s **n*l** in Win*ows *nvironm*nts. T** *ommit ******* s*ows *riti**l ***n**s to t** `_r*solv*P*t*` *un*tion in `sr*/*s.js`, in*lu*in* ***in* Win*ows s*p*r*tor r*pl***m*nt *n* improv** p*t* norm*liz*t

9.6

Basic Information

Concerned about an active attack path?

CVE-2020-26299: File System Bounds Escape

Impact

Background

Patches

Workarounds

References

For more information

9.6

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2020-26299:
File System Bounds Escape

Vulnerability Intelligence
Miggo AI