Severity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
7DescriptionGitHub Advisory
PsiTransfer is an open source, self-hosted file sharing solution. Prior to version 2.4.3, the upload PATCH flow under /files/:uploadId validates the mounted request path using the still-encoded req.path, but the downstream tus handler later writes using the decoded req.params.uploadId. In deployments that use a supported custom PSITRANSFER_UPLOAD_DIR whose basename prefixes a startup-loaded JavaScript path, such as conf, an unauthenticated attacker can create config.<NODE_ENV>.js in the application root. The attacker-controlled file is then executed on the next process restart. Version 2.4.3 contains a patch.
AnalysisAI
Path traversal in PsiTransfer versions before 2.4.3 enables remote code execution through malicious file uploads. An attacker exploits URL encoding inconsistencies in the upload validation flow to write attacker-controlled JavaScript configuration files outside the intended upload directory. When the application restarts, these injected config files execute with application privileges, granting the attacker persistent code execution. Vendor patch released in v2.4.3 addresses the encoding mismatch between validation and file-write operations. CVSS 7.5 reflects high attack complexity and required user interaction, limiting immediate mass exploitation risk despite the severe RCE impact.
Technical ContextAI
PsiTransfer is a self-hosted file sharing application built on Node.js, using the tus resumable upload protocol for chunked file transfers. The vulnerability stems from CWE-22 path traversal caused by inconsistent URL encoding handling. The application validates upload paths using req.path (URL-encoded), but the tus handler writes files using req.params.uploadId (URL-decoded). This encoding mismatch allows attackers to bypass path validation by double-encoding traversal sequences. The attack specifically targets deployments using custom PSITRANSFER_UPLOAD_DIR configurations whose directory basename matches Node.js configuration file prefixes like 'conf'. When exploited, attackers create config.<NODE_ENV>.js files in the application root, which Node.js automatically loads and executes during process initialization, converting path traversal into remote code execution.
RemediationAI
Upgrade to PsiTransfer version 2.4.3 or later, which resolves the encoding mismatch between path validation and file write operations (fix commit: 8b547bf3e09757122efa00aab90281e3915aa0c6). Release available at https://github.com/psi-4ward/psitransfer/releases/tag/v2.4.3. For environments where immediate upgrade is not feasible, implement compensating controls: (1) Restrict upload directory configuration to non-prefixed basenames that do not match Node.js config file patterns (avoid names like 'conf', 'config', 'etc'), or (2) Deploy network-level access controls limiting upload endpoints to authenticated internal users only, reducing attack surface from AV:N to controlled access. Note that restricting restart privileges prevents code execution but does not prevent malicious file creation, which may enable secondary attacks. Validate upload directory contents before any application restart and remove unexpected .js files from application root.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25150
GHSA-533q-w4g6-5586