Description
PsiTransfer is an open source, self-hosted file sharing solution. Prior to version 2.4.3, the upload PATCH flow under `/files/:uploadId` validates the mounted request path using the still-encoded `req.path`, but the downstream tus handler later writes using the decoded `req.params.uploadId`. In deployments that use a supported custom `PSITRANSFER_UPLOAD_DIR` whose basename prefixes a startup-loaded JavaScript path, such as `conf`, an unauthenticated attacker can create `config.<NODE_ENV>.js` in the application root. The attacker-controlled file is then executed on the next process restart. Version 2.4.3 contains a patch.
Published: 2026-04-23
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises in the upload PATCH flow of PsiTransfer. The flaw is a directory traversal vulnerability (CWE-22), where the application does not properly validate the mounted request path, allowing an attacker to craft a path that leads to the creation of a file named config.<NODE_ENV>.js in the application root. Because this file is loaded automatically on the next process restart, an unauthenticated attacker can inject and execute arbitrary JavaScript code when the service restarts, resulting in remote code execution with the privileges of the running process.

Affected Systems

psi‑4ward PsiTransfer installations that use a custom PSITRANSFER_UPLOAD_DIR whose basename prefixes a server‑side JavaScript path, such as conf, are affected. All versions prior to 2.4.3 contain the flaw; version 2.4.3 and later include the path‑validation fix.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, yet the EPSS score of less than 1% suggests the likelihood of exploitation in the wild is currently low, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an unauthenticated attacker to issue a PATCH request to /files/:uploadId and subsequently trigger a restart of the application. Once executed, it would provide full code execution on the host running PsiTransfer.

Generated by OpenCVE AI on April 28, 2026 at 20:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade psi‑4ward PsiTransfer to version 2.4.3 or later, which contains the path validation fix.
  • Review and modify the PSITRANSFER_UPLOAD_DIR configuration so that its basename does not conflict with server‑side JavaScript paths, or remove the custom directory setting entirely.
  • After applying the update, restart the PsiTransfer service immediately to load the new configuration and prevent execution of any newly created config.<NODE_ENV>.js files.

Generated by OpenCVE AI on April 28, 2026 at 20:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-533q-w4g6-5586 PsiTransfer: Upload PATCH path traversal can create `config.<NODE_ENV>.js` and lead to code execution on restart
History

Mon, 27 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Psi-4ward
Psi-4ward psitransfer
Vendors & Products Psi-4ward
Psi-4ward psitransfer

Thu, 23 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Description PsiTransfer is an open source, self-hosted file sharing solution. Prior to version 2.4.3, the upload PATCH flow under `/files/:uploadId` validates the mounted request path using the still-encoded `req.path`, but the downstream tus handler later writes using the decoded `req.params.uploadId`. In deployments that use a supported custom `PSITRANSFER_UPLOAD_DIR` whose basename prefixes a startup-loaded JavaScript path, such as `conf`, an unauthenticated attacker can create `config.<NODE_ENV>.js` in the application root. The attacker-controlled file is then executed on the next process restart. Version 2.4.3 contains a patch.
Title PsiTransfer: Upload PATCH path traversal can create `config.<NODE_ENV>.js` and lead to code execution on restart
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Psi-4ward Psitransfer
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-23T13:59:14.836Z

Reserved: 2026-04-17T16:34:45.526Z

Link: CVE-2026-41180

cve-icon Vulnrichment

Updated: 2026-04-23T13:59:11.539Z

cve-icon NVD

Status : Deferred

Published: 2026-04-23T02:16:15.977

Modified: 2026-04-29T21:08:02.250

Link: CVE-2026-41180

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T20:45:16Z

Weaknesses