PsiTransfer: Upload PATCH path traversal can create `config.<NODE_ENV>.js` and lead to code execution on restart

Description

The upload PATCH flow under /files/:uploadId validates the mounted request path using the still-encoded req.path, but the downstream tus handler later writes using the decoded req.params.uploadId.

Recommendation

Update the psitransfer package to the latest compatible version. Followings are version details:

• Affected version(s): < 2.4.3
• Patched version(s): 2.4.3

References

• GHSA-533q-w4g6-5586
• CVE-2026-41180
• CWE-22
• CAPEC-310
• OWASP 2021-A1
• OWASP 2021-A6

Related Issues

• Electerm runWidget has a path traversal that leads to arbitrary code execution - CVE-2026-43940
• FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API - CVE-2026-25895
• Lobe Chat affected by Cross-Site Scripting(XSS) that can escalate to Remote Code Execution(RCE) - CVE-2026-23733
• Happy DOM: VM Context Escape can lead to Remote Code Execution - CVE-2025-61927

You might also like:

Apache and Express Path Traversal plus Nginx Restriction Bypass Tests with SmartScanner

10 Secure Coding Best Practices to Follow in Every Project

Update Cheat Sheet for Developers

Tags:

npm

psitransfer