CVE-2020-26299

Name of the Vulnerable Software and Affected Versions: ftp-srv versions prior to 4.4.0

Description: The issue concerns a path-traversal vulnerability in ftp-srv, an open-source FTP server. Clients of FTP servers utilizing ftp-srv hosted on Windows machines can escape the FTP user's defined root folder using expected FTP commands, such as CWD and UPDR. This occurs when Windows separators exist within the path (``), and path.resolve leaves the upper pointers intact, allowing the user to move beyond the root folder defined for that user.

Recommendations: For versions prior to 4.4.0, update to version 4.4.0 or later to resolve the issue. As a temporary workaround, consider hosting the server on a different OS to mitigate the issue, as there are no workarounds for Windows servers.