psitransfer 2.2.0

Direct Vulnerabilities

Known vulnerabilities in the psitransfer package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Directory Traversal psitransfer is a Simple open source self-hosted file sharing solution Affected versions of this package are vulnerable to Directory Traversal through the `Store.getFilename` path resolution in the upload storage component. An attacker can escape the upload jail and read or overwrite files outside the intended upload directory by supplying crafted upload IDs or bucket names containing traversal sequences or malformed `++` segments. This can expose or corrupt files on the server and break upload handling for users relying on the file transfer service. Workarounds Reject `PATCH` requests to `/files/:uploadId` unless the expected sidecar metadata already exists, so an attacker cannot create an attacker-controlled file through a malformed upload target. Avoid using a custom `PSITRANSFER_UPLOAD_DIR` whose basename prefixes a startup-loaded JavaScript file path under the application root, such as `conf`, to prevent a crafted upload from landing on `config.<NODE_ENV>.js` and being executed on restart. How to fix Directory Traversal? Upgrade `psitransfer` to version 2.4.3 or higher.	<2.4.3
M Zip Slip psitransfer is a Simple open source self-hosted file sharing solution Affected versions of this package are vulnerable to Zip Slip in the archive download functionality in `endpoints.js‎`. An attacker can write arbitrary files outside the intended extraction directory by uploading files with crafted filenames containing path traversal sequences and convincing a victim to download and extract the resulting archive. How to fix Zip Slip? Upgrade `psitransfer` to version 2.3.1 or higher.	<2.3.1

Vulnerability

Vulnerable Version

Directory Traversal

psitransfer is a Simple open source self-hosted file sharing solution

Affected versions of this package are vulnerable to Directory Traversal through the Store.getFilename path resolution in the upload storage component. An attacker can escape the upload jail and read or overwrite files outside the intended upload directory by supplying crafted upload IDs or bucket names containing traversal sequences or malformed ++ segments. This can expose or corrupt files on the server and break upload handling for users relying on the file transfer service.

Workarounds

Reject PATCH requests to /files/:uploadId unless the expected sidecar metadata already exists, so an attacker cannot create an attacker-controlled file through a malformed upload target.
Avoid using a custom PSITRANSFER_UPLOAD_DIR whose basename prefixes a startup-loaded JavaScript file path under the application root, such as conf, to prevent a crafted upload from landing on config.<NODE_ENV>.js and being executed on restart.

How to fix Directory Traversal?

Upgrade psitransfer to version 2.4.3 or higher.

<2.4.3

Zip Slip

psitransfer is a Simple open source self-hosted file sharing solution

Affected versions of this package are vulnerable to Zip Slip in the archive download functionality in endpoints.js‎. An attacker can write arbitrary files outside the intended extraction directory by uploading files with crafted filenames containing path traversal sequences and convincing a victim to download and extract the resulting archive.

How to fix Zip Slip?

Upgrade psitransfer to version 2.3.1 or higher.

<2.3.1

psitransfer@2.2.0

Simple open source self-hosted file sharing solution

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically