Skip to main content

PsiTransfer CVE-2026-41180

| EUVDEUVD-2026-25150 HIGH
Path Traversal (CWE-22)
2026-04-23 GitHub_M GHSA-533q-w4g6-5586
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Patch released
Apr 29, 2026 - 21:08 nvd
Patch available
Re-analysis Queued
Apr 23, 2026 - 16:12 vuln.today
cvss_changed
Analysis Generated
Apr 23, 2026 - 06:47 vuln.today
Patch available
Apr 23, 2026 - 06:16 EUVD
EUVD ID Assigned
Apr 23, 2026 - 01:15 euvd
EUVD-2026-25150
Analysis Generated
Apr 23, 2026 - 01:15 vuln.today
CVE Published
Apr 23, 2026 - 00:10 nvd
HIGH 7.5

DescriptionGitHub Advisory

PsiTransfer is an open source, self-hosted file sharing solution. Prior to version 2.4.3, the upload PATCH flow under /files/:uploadId validates the mounted request path using the still-encoded req.path, but the downstream tus handler later writes using the decoded req.params.uploadId. In deployments that use a supported custom PSITRANSFER_UPLOAD_DIR whose basename prefixes a startup-loaded JavaScript path, such as conf, an unauthenticated attacker can create config.<NODE_ENV>.js in the application root. The attacker-controlled file is then executed on the next process restart. Version 2.4.3 contains a patch.

AnalysisAI

Path traversal in PsiTransfer versions before 2.4.3 enables remote code execution through malicious file uploads. An attacker exploits URL encoding inconsistencies in the upload validation flow to write attacker-controlled JavaScript configuration files outside the intended upload directory. When the application restarts, these injected config files execute with application privileges, granting the attacker persistent code execution. Vendor patch released in v2.4.3 addresses the encoding mismatch between validation and file-write operations. CVSS 7.5 reflects high attack complexity and required user interaction, limiting immediate mass exploitation risk despite the severe RCE impact.

Technical ContextAI

PsiTransfer is a self-hosted file sharing application built on Node.js, using the tus resumable upload protocol for chunked file transfers. The vulnerability stems from CWE-22 path traversal caused by inconsistent URL encoding handling. The application validates upload paths using req.path (URL-encoded), but the tus handler writes files using req.params.uploadId (URL-decoded). This encoding mismatch allows attackers to bypass path validation by double-encoding traversal sequences. The attack specifically targets deployments using custom PSITRANSFER_UPLOAD_DIR configurations whose directory basename matches Node.js configuration file prefixes like 'conf'. When exploited, attackers create config.<NODE_ENV>.js files in the application root, which Node.js automatically loads and executes during process initialization, converting path traversal into remote code execution.

RemediationAI

Upgrade to PsiTransfer version 2.4.3 or later, which resolves the encoding mismatch between path validation and file write operations (fix commit: 8b547bf3e09757122efa00aab90281e3915aa0c6). Release available at https://github.com/psi-4ward/psitransfer/releases/tag/v2.4.3. For environments where immediate upgrade is not feasible, implement compensating controls: (1) Restrict upload directory configuration to non-prefixed basenames that do not match Node.js config file patterns (avoid names like 'conf', 'config', 'etc'), or (2) Deploy network-level access controls limiting upload endpoints to authenticated internal users only, reducing attack surface from AV:N to controlled access. Note that restricting restart privileges prevents code execution but does not prevent malicious file creation, which may enable secondary attacks. Validate upload directory contents before any application restart and remove unexpected .js files from application root.

Share

CVE-2026-41180 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy