ftp-srv is vulnerable to directory traversal. The vulnerability exists as it does not perform checks on the relative path to see if it resolves to a path outside of the application root directory.
github.com/autovance/ftp-srv/commit/457b859450a37cba10ff3c431eb4aa67771122e3
github.com/autovance/ftp-srv/issues/167
github.com/autovance/ftp-srv/issues/225
github.com/autovance/ftp-srv/pull/224
github.com/autovance/ftp-srv/security/advisories/GHSA-pmw4-jgxx-pcq9
www.npmjs.com/advisories/1624
www.npmjs.com/package/ftp-srv