PsiTransfer is an open source, self-hosted file sharing solution. Prior to version 2.4.3, the upload PATCH flow under `/files/:uploadId` validates the mounted r…

PsiTransfer, an open source file sharing solution, contains a critical vulnerability prior to version 2.4.3. The issue stems from inconsistent path validation in the upload PATCH flow, where the system validates encoded request paths but writes using decoded parameters. This allows unauthenticated attackers to exploit path traversal via URL encoding discrepancies. In specific deployment configurations with custom PSITRANSFER_UPLOAD_DIR settings, attackers can create malicious config files in the application root. These attacker-controlled JavaScript files are executed upon process restart, leading to remote code execution. The vulnerability affects the /files/:uploadId endpoint and has been patched in version 2.4.3.