Homepage

psitransfer@2.4.2

Simple open source self-hosted file sharing solution

  • latest version

    2.4.3

  • latest non vulnerable version

    2.4.3

  • first published

    6 years ago

  • latest version published

    28 days ago

  • licenses detected

  • View psitransfer package health on Snyk  (opens in a new tab)
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the psitransfer package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Directory Traversal

    psitransfer is a Simple open source self-hosted file sharing solution

    Affected versions of this package are vulnerable to Directory Traversal through the Store.getFilename path resolution in the upload storage component. An attacker can escape the upload jail and read or overwrite files outside the intended upload directory by supplying crafted upload IDs or bucket names containing traversal sequences or malformed ++ segments. This can expose or corrupt files on the server and break upload handling for users relying on the file transfer service.

    Workarounds

    • Reject PATCH requests to /files/:uploadId unless the expected sidecar metadata already exists, so an attacker cannot create an attacker-controlled file through a malformed upload target.
    • Avoid using a custom PSITRANSFER_UPLOAD_DIR whose basename prefixes a startup-loaded JavaScript file path under the application root, such as conf, to prevent a crafted upload from landing on config.<NODE_ENV>.js and being executed on restart.

    How to fix Directory Traversal?

    Upgrade psitransfer to version 2.4.3 or higher.

    <2.4.3
    Go back to all versions of this package