PsiTransfer Path Traversal Vulnerability Leading to Unauthenticated Remote Code Execution

A path traversal vulnerability has been identified in PsiTransfer versions prior to 2.4.3. The issue arises in the upload PATCH flow under '/files/:uploadId', where the request path is validated using the encoded 'req.path'. However, the downstream handler writes using the decoded 'req.params.uploadId', creating a mismatch. In deployments with a custom 'PSITRANSFER_UPLOAD_DIR' that prefixes a JavaScript path, an unauthenticated attacker can exploit this to create a 'config.<NODE_ENV>.js' file in the application root. This file is executed on the next process restart, leading to remote code execution.

Impact

Exploitation of this vulnerability allows for unauthenticated remote code execution on the server, executed within the context of the PsiTransfer service account, potentially compromising the application's confidentiality, integrity, and availability.

Reproduction

To reproduce this vulnerability, upload a file using the PATCH method to the '/files/:uploadId' endpoint, with an 'uploadId' that includes traversal sequences to reach the application root. Ensure that the 'PSITRANSFER_UPLOAD_DIR' is set to a directory that prefixes a JavaScript file path, such as 'conf'. The uploaded file should contain JavaScript code that, when executed, creates a proof file indicating successful exploitation.

Remediation

Users can update to PsiTransfer version 2.4.3 or later, where this vulnerability has been patched.