Aikido Security Patch Fixes Critical Path Traversal, OS Command Injection in Key Dependencies

A critical security update from Aikido addresses eight vulnerabilities across widely-used dependencies, including a severe path traversal flaw that could allow a malicious FTP server to write files anywhere on a system. The patch resolves one critical and multiple high-severity CVEs, directly mitigating risks of remote code execution and denial-of-service attacks in production environments.

The most severe issue, CVE-2026-27699, is a critical path traversal vulnerability in the `basic-ftp` library's `downloadToDir()` method. This flaw enables an attacker-controlled FTP server to escape the intended download directory using directory traversal sequences, leading to arbitrary file writes. Another high-severity vulnerability, CVE-2025-68154, involves OS command injection in the `systeminformation` package, which is commonly used for querying system data. The update also patches denial-of-service vulnerabilities in server functions within the `next` and `lodash` libraries.

These fixes are not merely routine maintenance; they patch active attack vectors in foundational tools. The `basic-ftp` and `systeminformation` packages are embedded in countless Node.js applications for file transfers and system monitoring, making this a widespread supply chain security concern. Organizations that fail to apply this dependency upgrade leave their systems exposed to server compromise and data integrity breaches. The coordinated patch across multiple libraries signals a concentrated effort to harden a common software stack against escalating exploitation attempts.