CVE-2025-59436: Low-Severity Vulnerability Detected in FDM Monster Dependency Chain

A low-severity vulnerability, CVE-2025-59436, has been identified within the dependency chain of the FDM Monster project. The flaw resides in the `ip-1.1.9.tgz` library, a transitive dependency pulled in via the `ftp-srv` package. This finding highlights the persistent risk of inherited security weaknesses in complex software ecosystems, even when the core application is not directly at fault.

The vulnerable `ip` library is a dependency of `ftp-srv-4.6.3.tgz`, which itself is used by the root project `@fdm-monster/consoles-1.0.0.tgz`. The issue was detected in the project's main branch, specifically in commit `c3a675351b79a3823e2d069d654a3becc5f42dd0`. While the vulnerability is assessed as low severity, its presence underscores the challenge of maintaining a clean software bill of materials (SBOM) and the potential for obscure dependencies to introduce attack surfaces.

For developers and maintainers of the FDM Monster project and similar Node.js applications, this serves as a routine but critical reminder to audit dependency trees. The path to the vulnerable file is traced through `/package.json`. Although the immediate risk may be limited, unaddressed vulnerabilities in any layer of the dependency stack can compound over time, especially in applications handling network services or file transfers via FTP. Continuous monitoring and prompt dependency updates remain essential defensive practices.