Description
A Zip Slip vulnerability in PsiTransfer allows an unauthenticated attacker to upload files with path traversal sequences in the filename (e.g. ../../../.ssh/authorized_keys). When a victim downloads the bucket as a .tar.gz archive and extracts it, malicious files are written outside the intended directory, potentially leading to RCE.
Recommendation
Update the psitransfer package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.3.1
- Patched version(s): 2.3.1
References
Related Issues
- Seroval affected by Denial of Service via Deeply Nested Objects - CVE-2026-24006
- Astro allows unauthorized third-party images in _image endpoint - CVE-2025-55303
- PsiTransfer: File integrity violation - CVE-2024-31454
- PsiTransfer: Violation of the integrity of file distribution - CVE-2024-31453
- Tags:
- npm
- psitransfer
Anything's wrong? Let us know Last updated on December 30, 2025