Vulnerability-Lookup

CVE-2026-41180 (GCVE-0-2026-41180)

Vulnerability from cvelistv5 – Published: 2026-04-23 00:10 – Updated: 2026-04-23 13:59

Title

PsiTransfer: Upload PATCH path traversal can create `config.<NODE_ENV>.js` and lead to code execution on restart

Summary

PsiTransfer is an open source, self-hosted file sharing solution. Prior to version 2.4.3, the upload PATCH flow under `/files/:uploadId` validates the mounted request path using the still-encoded `req.path`, but the downstream tus handler later writes using the decoded `req.params.uploadId`. In deployments that use a supported custom `PSITRANSFER_UPLOAD_DIR` whose basename prefixes a startup-loaded JavaScript path, such as `conf`, an unauthenticated attacker can create `config.<NODE_ENV>.js` in the application root. The attacker-controlled file is then executed on the next process restart. Version 2.4.3 contains a patch.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/psi-4ward/psitransfer/security…	x_refsource_CONFIRM
	https://github.com/psi-4ward/psitransfer/commit/8…	x_refsource_MISC
	https://github.com/psi-4ward/psitransfer/releases…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	psi-4ward	psitransfer	Affected: < 2.4.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-41180",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-23T13:58:52.952704Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-23T13:59:14.836Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/psi-4ward/psitransfer/security/advisories/GHSA-533q-w4g6-5586"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "psitransfer",
          "vendor": "psi-4ward",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.4.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "PsiTransfer is an open source, self-hosted file sharing solution. Prior to version 2.4.3, the upload PATCH flow under `/files/:uploadId` validates the mounted request path using the still-encoded `req.path`, but the downstream tus handler later writes using the decoded `req.params.uploadId`. In deployments that use a supported custom `PSITRANSFER_UPLOAD_DIR` whose basename prefixes a startup-loaded JavaScript path, such as `conf`, an unauthenticated attacker can create `config.\u003cNODE_ENV\u003e.js` in the application root. The attacker-controlled file is then executed on the next process restart. Version 2.4.3 contains a patch."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-23T00:10:58.230Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/psi-4ward/psitransfer/security/advisories/GHSA-533q-w4g6-5586",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/psi-4ward/psitransfer/security/advisories/GHSA-533q-w4g6-5586"
        },
        {
          "name": "https://github.com/psi-4ward/psitransfer/commit/8b547bf3e09757122efa00aab90281e3915aa0c6",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/psi-4ward/psitransfer/commit/8b547bf3e09757122efa00aab90281e3915aa0c6"
        },
        {
          "name": "https://github.com/psi-4ward/psitransfer/releases/tag/v2.4.3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/psi-4ward/psitransfer/releases/tag/v2.4.3"
        }
      ],
      "source": {
        "advisory": "GHSA-533q-w4g6-5586",
        "discovery": "UNKNOWN"
      },
      "title": "PsiTransfer: Upload PATCH path traversal can create `config.\u003cNODE_ENV\u003e.js` and lead to code execution on restart"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-41180",
    "datePublished": "2026-04-23T00:10:58.230Z",
    "dateReserved": "2026-04-17T16:34:45.526Z",
    "dateUpdated": "2026-04-23T13:59:14.836Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-41180",
      "date": "2026-04-23",
      "epss": "0.00035",
      "percentile": "0.10381"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-41180\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-23T02:16:15.977\",\"lastModified\":\"2026-04-23T15:37:23.917\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"PsiTransfer is an open source, self-hosted file sharing solution. Prior to version 2.4.3, the upload PATCH flow under `/files/:uploadId` validates the mounted request path using the still-encoded `req.path`, but the downstream tus handler later writes using the decoded `req.params.uploadId`. In deployments that use a supported custom `PSITRANSFER_UPLOAD_DIR` whose basename prefixes a startup-loaded JavaScript path, such as `conf`, an unauthenticated attacker can create `config.\u003cNODE_ENV\u003e.js` in the application root. The attacker-controlled file is then executed on the next process restart. Version 2.4.3 contains a patch.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.6,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"references\":[{\"url\":\"https://github.com/psi-4ward/psitransfer/commit/8b547bf3e09757122efa00aab90281e3915aa0c6\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/psi-4ward/psitransfer/releases/tag/v2.4.3\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/psi-4ward/psitransfer/security/advisories/GHSA-533q-w4g6-5586\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/psi-4ward/psitransfer/security/advisories/GHSA-533q-w4g6-5586\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"PsiTransfer: Upload PATCH path traversal can create `config.\u003cNODE_ENV\u003e.js` and lead to code execution on restart\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-22\", \"lang\": \"en\", \"description\": \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"HIGH\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"REQUIRED\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://github.com/psi-4ward/psitransfer/security/advisories/GHSA-533q-w4g6-5586\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/psi-4ward/psitransfer/security/advisories/GHSA-533q-w4g6-5586\"}, {\"name\": \"https://github.com/psi-4ward/psitransfer/commit/8b547bf3e09757122efa00aab90281e3915aa0c6\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/psi-4ward/psitransfer/commit/8b547bf3e09757122efa00aab90281e3915aa0c6\"}, {\"name\": \"https://github.com/psi-4ward/psitransfer/releases/tag/v2.4.3\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/psi-4ward/psitransfer/releases/tag/v2.4.3\"}], \"affected\": [{\"vendor\": \"psi-4ward\", \"product\": \"psitransfer\", \"versions\": [{\"version\": \"\u003c 2.4.3\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-04-23T00:10:58.230Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"PsiTransfer is an open source, self-hosted file sharing solution. Prior to version 2.4.3, the upload PATCH flow under `/files/:uploadId` validates the mounted request path using the still-encoded `req.path`, but the downstream tus handler later writes using the decoded `req.params.uploadId`. In deployments that use a supported custom `PSITRANSFER_UPLOAD_DIR` whose basename prefixes a startup-loaded JavaScript path, such as `conf`, an unauthenticated attacker can create `config.\u003cNODE_ENV\u003e.js` in the application root. The attacker-controlled file is then executed on the next process restart. Version 2.4.3 contains a patch.\"}], \"source\": {\"advisory\": \"GHSA-533q-w4g6-5586\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-41180\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-23T13:58:52.952704Z\"}}}], \"references\": [{\"url\": \"https://github.com/psi-4ward/psitransfer/security/advisories/GHSA-533q-w4g6-5586\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-23T13:59:11.539Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-41180\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2026-04-17T16:34:45.526Z\", \"datePublished\": \"2026-04-23T00:10:58.230Z\", \"dateUpdated\": \"2026-04-23T13:59:14.836Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-41180

Vulnerability from fkie_nvd - Published: 2026-04-23 02:16 - Updated: 2026-04-23 15:37

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/psi-4ward/psitransfer/commit/8b547bf3e09757122efa00aab90281e3915aa0c6
	security-advisories@github.com	https://github.com/psi-4ward/psitransfer/releases/tag/v2.4.3
	security-advisories@github.com	https://github.com/psi-4ward/psitransfer/security/advisories/GHSA-533q-w4g6-5586
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/psi-4ward/psitransfer/security/advisories/GHSA-533q-w4g6-5586

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "PsiTransfer is an open source, self-hosted file sharing solution. Prior to version 2.4.3, the upload PATCH flow under `/files/:uploadId` validates the mounted request path using the still-encoded `req.path`, but the downstream tus handler later writes using the decoded `req.params.uploadId`. In deployments that use a supported custom `PSITRANSFER_UPLOAD_DIR` whose basename prefixes a startup-loaded JavaScript path, such as `conf`, an unauthenticated attacker can create `config.\u003cNODE_ENV\u003e.js` in the application root. The attacker-controlled file is then executed on the next process restart. Version 2.4.3 contains a patch."
    }
  ],
  "id": "CVE-2026-41180",
  "lastModified": "2026-04-23T15:37:23.917",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-04-23T02:16:15.977",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/psi-4ward/psitransfer/commit/8b547bf3e09757122efa00aab90281e3915aa0c6"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/psi-4ward/psitransfer/releases/tag/v2.4.3"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/psi-4ward/psitransfer/security/advisories/GHSA-533q-w4g6-5586"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/psi-4ward/psitransfer/security/advisories/GHSA-533q-w4g6-5586"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Received",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-533Q-W4G6-5586

Vulnerability from github – Published: 2026-04-16 21:13 – Updated: 2026-04-16 21:13

Summary

PsiTransfer: Upload PATCH path traversal can create `config.<NODE_ENV>.js` and lead to code execution on restart

Details

Summary

The upload PATCH flow under /files/:uploadId validates the mounted request path using the still-encoded req.path, but the downstream tus handler later writes using the decoded req.params.uploadId. In deployments that use a supported custom PSITRANSFER_UPLOAD_DIR whose basename prefixes a startup-loaded JavaScript path, such as conf, an unauthenticated attacker can create config.<NODE_ENV>.js in the application root. The attacker-controlled file is then executed on the next process restart.

Details

Observed in 2.4.1, the upload middleware derives fid from req.path.substring(1) and calls store.info(fid) before handing the request to tus. For a request such as /files/..%2Fconfig.production.js, this outer check sees the encoded value ..%2Fconfig.production.js. The downstream patch('/:uploadId') route, however, receives the decoded parameter ../config.production.js. In the same code path, the catch branch uses if(! e instanceof httpErrors.NotFound), which does not correctly stop execution on a missing upload target.

The write sink is Store.getFilename(fid), which resolves path.resolve(uploadDir, fid.replace('++', '/')) and then only checks startsWith(uploadDir). With a supported custom upload directory such as <app_root>/conf, the decoded target ../config.production.js resolves to <app_root>/config.production.js, and the current string-prefix jail check still accepts it because the resolved path begins with <app_root>/conf.

The file creation is observable even when the request ends in failure. store.append() creates the target write stream first and only consults the JSON sidecar in the finish handler. As a result, PATCH /files/..%2Fconfig.production.js returns 404 Not Found in my test, but still leaves an attacker-controlled config.production.js on disk.

On the next start, config.js executes require(path.resolve(__dirname, \config.${process.env.NODE_ENV}.js`))when the file exists. I verified this in a temporary copy of the application by settingNODE_ENV=productionandPSITRANSFER_UPLOAD_DIRto a customconfdirectory, sending a single PATCH request that wrote JavaScript intoconfig.production.js`, and then restarting the process. The attacker code executed during startup and created a proof file. Until a fix exists, the shortest safe workaround is to reject PATCH requests unless the expected sidecar metadata already exists and to avoid upload directory names that can prefix startup-loaded paths under the application root.

PoC

Start PsiTransfer 2.4.1 from source with NODE_ENV=production and a supported custom upload directory whose basename prefixes a startup-loaded file path, for example PSITRANSFER_UPLOAD_DIR=/opt/psitransfer/conf.
Send a PATCH request directly to the upload endpoint:

PATCH /files/..%2Fconfig.production.js HTTP/1.1
Host: target
Tus-Resumable: 1.0.0
Upload-Offset: 0
Content-Type: application/offset+octet-stream

module.exports = {}; require('fs').writeFileSync('/tmp/psitransfer-rce-proof', 'owned');

Observe that the response is 404 Not Found, but /opt/psitransfer/config.production.js is created and contains the attacker-controlled payload.
Restart the PsiTransfer process, or wait for the next routine restart under the same NODE_ENV.
Observe that /tmp/psitransfer-rce-proof is created during startup, confirming server-side JavaScript execution from the injected config.production.js.

Impact

The observed result is unauthenticated creation of an attacker-controlled startup configuration file outside the intended upload directory. In affected deployments, this becomes code execution with the PsiTransfer service account on the next process restart, allowing full compromise of the application's confidentiality, integrity, and availability within that execution context. Default Docker and default source/systemd examples did not satisfy the RCE precondition in my review because their documented upload directory names do not prefix startup-loaded paths, but the vulnerable logic is still reachable.

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "psitransfer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-16T21:13:40Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nThe upload PATCH flow under `/files/:uploadId` validates the mounted request path using the still-encoded `req.path`, but the downstream tus handler later writes using the decoded `req.params.uploadId`. In deployments that use a supported custom `PSITRANSFER_UPLOAD_DIR` whose basename prefixes a startup-loaded JavaScript path, such as `conf`, an unauthenticated attacker can create `config.\u003cNODE_ENV\u003e.js` in the application root. The attacker-controlled file is then executed on the next process restart.\n\n### Details\n\nObserved in `2.4.1`, the upload middleware derives `fid` from `req.path.substring(1)` and calls `store.info(fid)` before handing the request to tus. For a request such as `/files/..%2Fconfig.production.js`, this outer check sees the encoded value `..%2Fconfig.production.js`. The downstream `patch(\u0027/:uploadId\u0027)` route, however, receives the decoded parameter `../config.production.js`. In the same code path, the `catch` branch uses `if(! e instanceof httpErrors.NotFound)`, which does not correctly stop execution on a missing upload target.\n\nThe write sink is `Store.getFilename(fid)`, which resolves `path.resolve(uploadDir, fid.replace(\u0027++\u0027, \u0027/\u0027))` and then only checks `startsWith(uploadDir)`. With a supported custom upload directory such as `\u003capp_root\u003e/conf`, the decoded target `../config.production.js` resolves to `\u003capp_root\u003e/config.production.js`, and the current string-prefix jail check still accepts it because the resolved path begins with `\u003capp_root\u003e/conf`.\n\nThe file creation is observable even when the request ends in failure. `store.append()` creates the target write stream first and only consults the JSON sidecar in the `finish` handler. As a result, `PATCH /files/..%2Fconfig.production.js` returns `404 Not Found` in my test, but still leaves an attacker-controlled `config.production.js` on disk.\n\nOn the next start, `config.js` executes `require(path.resolve(__dirname, \\`config.${process.env.NODE_ENV}.js\\`))` when the file exists. I verified this in a temporary copy of the application by setting `NODE_ENV=production` and `PSITRANSFER_UPLOAD_DIR` to a custom `conf` directory, sending a single PATCH request that wrote JavaScript into `config.production.js`, and then restarting the process. The attacker code executed during startup and created a proof file. Until a fix exists, the shortest safe workaround is to reject PATCH requests unless the expected sidecar metadata already exists and to avoid upload directory names that can prefix startup-loaded paths under the application root.\n\n### PoC\n\n1. Start PsiTransfer `2.4.1` from source with `NODE_ENV=production` and a supported custom upload directory whose basename prefixes a startup-loaded file path, for example `PSITRANSFER_UPLOAD_DIR=/opt/psitransfer/conf`.\n2. Send a PATCH request directly to the upload endpoint:\n\n```http\nPATCH /files/..%2Fconfig.production.js HTTP/1.1\nHost: target\nTus-Resumable: 1.0.0\nUpload-Offset: 0\nContent-Type: application/offset+octet-stream\n\nmodule.exports = {}; require(\u0027fs\u0027).writeFileSync(\u0027/tmp/psitransfer-rce-proof\u0027, \u0027owned\u0027);\n```\n\n3. Observe that the response is `404 Not Found`, but `/opt/psitransfer/config.production.js` is created and contains the attacker-controlled payload.\n4. Restart the PsiTransfer process, or wait for the next routine restart under the same `NODE_ENV`.\n5. Observe that `/tmp/psitransfer-rce-proof` is created during startup, confirming server-side JavaScript execution from the injected `config.production.js`.\n\n### Impact\n\nThe observed result is unauthenticated creation of an attacker-controlled startup configuration file outside the intended upload directory. In affected deployments, this becomes code execution with the PsiTransfer service account on the next process restart, allowing full compromise of the application\u0027s confidentiality, integrity, and availability within that execution context. Default Docker and default source/systemd examples did not satisfy the RCE precondition in my review because their documented upload directory names do not prefix startup-loaded paths, but the vulnerable logic is still reachable.",
  "id": "GHSA-533q-w4g6-5586",
  "modified": "2026-04-16T21:13:40Z",
  "published": "2026-04-16T21:13:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/psi-4ward/psitransfer/security/advisories/GHSA-533q-w4g6-5586"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/psi-4ward/psitransfer"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "PsiTransfer: Upload PATCH path traversal can create `config.\u003cNODE_ENV\u003e.js` and lead to code execution on restart"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-41180 (GCVE-0-2026-41180)

FKIE_CVE-2026-41180

GHSA-533Q-W4G6-5586

Summary

Details

PoC

Impact

Tags

Sightings

Nomenclature