psitransfer 2.1.2

Direct Vulnerabilities

Known vulnerabilities in the psitransfer package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Directory Traversal psitransfer is a Simple open source self-hosted file sharing solution Affected versions of this package are vulnerable to Directory Traversal through the `Store.getFilename` path resolution in the upload storage component. An attacker can escape the upload jail and read or overwrite files outside the intended upload directory by supplying crafted upload IDs or bucket names containing traversal sequences or malformed `++` segments. This can expose or corrupt files on the server and break upload handling for users relying on the file transfer service. Workarounds Reject `PATCH` requests to `/files/:uploadId` unless the expected sidecar metadata already exists, so an attacker cannot create an attacker-controlled file through a malformed upload target. Avoid using a custom `PSITRANSFER_UPLOAD_DIR` whose basename prefixes a startup-loaded JavaScript file path under the application root, such as `conf`, to prevent a crafted upload from landing on `config.<NODE_ENV>.js` and being executed on restart. How to fix Directory Traversal? Upgrade `psitransfer` to version 2.4.3 or higher.	<2.4.3
M Zip Slip psitransfer is a Simple open source self-hosted file sharing solution Affected versions of this package are vulnerable to Zip Slip in the archive download functionality in `endpoints.js‎`. An attacker can write arbitrary files outside the intended extraction directory by uploading files with crafted filenames containing path traversal sequences and convincing a victim to download and extract the resulting archive. How to fix Zip Slip? Upgrade `psitransfer` to version 2.3.1 or higher.	<2.3.1
M Unrestricted Upload of File with Dangerous Type psitransfer is a Simple open source self-hosted file sharing solution Affected versions of this package are vulnerable to Unrestricted Upload of File with Dangerous Type on the endpoint, which allows users to create a path for uploading a file in a file distribution. An attacker can influence those users who access the file distribution subsequently and insert files with malicious or phishing content by adding arbitrary files to the distribution. How to fix Unrestricted Upload of File with Dangerous Type? Upgrade `psitransfer` to version 2.2.0 or higher.	<2.2.0
M Unrestricted Upload of File with Dangerous Type psitransfer is a Simple open source self-hosted file sharing solution Affected versions of this package are vulnerable to Unrestricted Upload of File with Dangerous Type due to the absence of restrictions on the endpoint designed for uploading files, an attacker who has received the id of a file distribution can alter the files within this distribution. Note: This vulnerability enables an attacker to affect those users who access the file distribution subsequently, potentially slipping in files with malicious or phishing content. How to fix Unrestricted Upload of File with Dangerous Type? Upgrade `psitransfer` to version 2.2.0 or higher.	<2.2.0
M Unrestricted Upload of File with Dangerous Type psitransfer is a Simple open source self-hosted file sharing solution Affected versions of this package are vulnerable to Unrestricted Upload of File with Dangerous Type due to the absence of restrictions on the endpoint, which allows the creation of a path for uploading a file in a file distribution. An attacker can add arbitrary files to the distribution by sending a POST request to `/files` with a specific `Upload-Metadata` header followed by a PATCH request to `/files/{id}` with arbitrary content. How to fix Unrestricted Upload of File with Dangerous Type? Upgrade `psitransfer` to version 2.2.0 or higher.	<2.2.0
M Unrestricted Upload of File with Dangerous Type psitransfer is a Simple open source self-hosted file sharing solution Affected versions of this package are vulnerable to Unrestricted Upload of File with Dangerous Type due to the absence of restrictions on the endpoint designed for uploading files. An attacker who receives the id of a file distribution can alter the files within this distribution by sending a `PATCH` request with arbitrary content. This modification allows the attacker to append malicious or phishing content to the end of the original file, impacting users who access the file distribution subsequently. How to fix Unrestricted Upload of File with Dangerous Type? Upgrade `psitransfer` to version 2.2.0 or higher.	<2.2.0

Vulnerability

Vulnerable Version

Directory Traversal

psitransfer is a Simple open source self-hosted file sharing solution

Affected versions of this package are vulnerable to Directory Traversal through the Store.getFilename path resolution in the upload storage component. An attacker can escape the upload jail and read or overwrite files outside the intended upload directory by supplying crafted upload IDs or bucket names containing traversal sequences or malformed ++ segments. This can expose or corrupt files on the server and break upload handling for users relying on the file transfer service.

Workarounds

Reject PATCH requests to /files/:uploadId unless the expected sidecar metadata already exists, so an attacker cannot create an attacker-controlled file through a malformed upload target.
Avoid using a custom PSITRANSFER_UPLOAD_DIR whose basename prefixes a startup-loaded JavaScript file path under the application root, such as conf, to prevent a crafted upload from landing on config.<NODE_ENV>.js and being executed on restart.

How to fix Directory Traversal?

Upgrade psitransfer to version 2.4.3 or higher.

<2.4.3

Zip Slip

psitransfer is a Simple open source self-hosted file sharing solution

Affected versions of this package are vulnerable to Zip Slip in the archive download functionality in endpoints.js‎. An attacker can write arbitrary files outside the intended extraction directory by uploading files with crafted filenames containing path traversal sequences and convincing a victim to download and extract the resulting archive.

How to fix Zip Slip?

Upgrade psitransfer to version 2.3.1 or higher.

<2.3.1

Unrestricted Upload of File with Dangerous Type

psitransfer is a Simple open source self-hosted file sharing solution

Affected versions of this package are vulnerable to Unrestricted Upload of File with Dangerous Type on the endpoint, which allows users to create a path for uploading a file in a file distribution. An attacker can influence those users who access the file distribution subsequently and insert files with malicious or phishing content by adding arbitrary files to the distribution.

How to fix Unrestricted Upload of File with Dangerous Type?

Upgrade psitransfer to version 2.2.0 or higher.

<2.2.0

Unrestricted Upload of File with Dangerous Type

psitransfer is a Simple open source self-hosted file sharing solution

Note: This vulnerability enables an attacker to affect those users who access the file distribution subsequently, potentially slipping in files with malicious or phishing content.

How to fix Unrestricted Upload of File with Dangerous Type?

Upgrade psitransfer to version 2.2.0 or higher.

<2.2.0

Unrestricted Upload of File with Dangerous Type

psitransfer is a Simple open source self-hosted file sharing solution

Affected versions of this package are vulnerable to Unrestricted Upload of File with Dangerous Type due to the absence of restrictions on the endpoint, which allows the creation of a path for uploading a file in a file distribution. An attacker can add arbitrary files to the distribution by sending a POST request to /files with a specific Upload-Metadata header followed by a PATCH request to /files/{id} with arbitrary content.

How to fix Unrestricted Upload of File with Dangerous Type?

Upgrade psitransfer to version 2.2.0 or higher.

<2.2.0

Unrestricted Upload of File with Dangerous Type

psitransfer is a Simple open source self-hosted file sharing solution

Affected versions of this package are vulnerable to Unrestricted Upload of File with Dangerous Type due to the absence of restrictions on the endpoint designed for uploading files. An attacker who receives the id of a file distribution can alter the files within this distribution by sending a PATCH request with arbitrary content. This modification allows the attacker to append malicious or phishing content to the end of the original file, impacting users who access the file distribution subsequently.

How to fix Unrestricted Upload of File with Dangerous Type?

Upgrade psitransfer to version 2.2.0 or higher.

<2.2.0

psitransfer@2.1.2

Simple open source self-hosted file sharing solution

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically