GHSA-xphh-5v4r-r3rx: PsiTransfer Zip Slip: When 'Download All' Becomes 'Hack All'

CVSS Score: 8.1 Published: 2025-12-30 Full Report: https://cvereports.com/reports/GHSA-xphh-5v4r-r3rx

Summary

A critical Path Traversal vulnerability in PsiTransfer allows attackers to weaponize the 'Download Archive' feature. By uploading files with malicious filenames, attackers can generate archives that perform arbitrary file overwrites on the victim's machine upon extraction.

TL;DR

PsiTransfer trusted user-supplied filenames a little too much. Attackers can upload files named like ../../.ssh/authorized_keys. When a victim downloads these files as a ZIP or TAR, the server dutifully packs that malicious path. If the victim extracts this archive, the attacker's file escapes the download folder and overwrites critical system files, potentially leading to RCE on the client machine.

Exploit Status: POC

Technical Details

• Bug Class: Path Traversal / Zip Slip
• Attack Vector: Network (Uploaded Metadata)
• CVSS: 8.1 (High)
• Impact: Client-Side Arbitrary File Write
• Component: Archive Generator (lib/endpoints.js)
• Exploit Status: Functional PoC Available

Affected Systems

• PsiTransfer < 2.3.1
• PsiTransfer: < 2.3.1 (Fixed in: 2.3.1)

Mitigation

• Input Sanitization
• Output Encoding
• Archive Hardening

Remediation Steps:

1. Upgrade PsiTransfer to version 2.3.1 or later immediately.
2. If upgrade is impossible, modify lib/endpoints.js to reject filenames containing '..' or '/'.
3. Review stored metadata in data.json for existing malicious filenames.

References

• GHSA-xphh-5v4r-r3rx Advisory
• GitLab Advisory

---

Generated by CVEReports - Automated Vulnerability Intelligence