Thecasual

**Name of the Vulnerable Software and Affected Versions** basic-ftp versions prior to 5.2.0 **Description** The `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in the `downloadToDir()` method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (`../`) that cause files to be written outside the intended download directory. The vulnerability resides in the parsing of filenames received from the FTP server, where insufficient validation allows directory traversal sequences to bypass security checks. This enables an attacker to craft directory listings that, when processed by the client, cause files to be written to arbitrary locations on the filesystem, potentially overwriting critical files or placing malicious files in sensitive locations. The vulnerable code is located in `src/Client.ts:707`, where the `path.join()` function is used without proper sanitization of the filename received from the FTP server. **Recommendations** Update to version 5.2.0 or later. As a workaround, do not use the `downloadToDir()` method with untrusted FTP servers. Sanitize filenames before use by stripping path components using `basename()` from the 'path' module.