CVE-2021-33497
Description
Dutchcoders transfer.sh before 1.2.4 allows Directory Traversal for deleting files.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/dutchcoders/transfer.shGo | < 1.2.4 | 1.2.4 |
Affected products
2- Dutchcoders/transfer.shdescription
Patches
Vulnerability mechanics
Root cause
"Missing validation in CheckDeletionToken allows deletion of files without metadata, enabling directory traversal."
Attack vector
An attacker can delete arbitrary files by crafting a deletion request with a path traversal sequence (e.g., `../`) in the filename parameter. The `CheckDeletionToken` function in `server/handlers.go` did not verify that the metadata file exists before proceeding, returning `nil` even when the metadata was absent [CWE-22]. This allows an unauthenticated attacker to delete files outside the intended storage directory.
Affected code
The vulnerability resides in `server/handlers.go` within the `CheckDeletionToken` function. The function previously returned `nil` when metadata was missing, allowing deletion of arbitrary files via path traversal. The patch also modifies `getHandler` to use the new `canContainsXSS` helper for content-type sanitization.
What the fix does
The patch changes `CheckDeletionToken` to return `errors.New("Metadata doesn't exist")` instead of `nil` when the metadata file is missing. This prevents the deletion of files whose metadata does not exist, blocking path traversal attempts. The patch also introduces the `canContainsXSS` function to properly sanitize content types in the preview handler, preventing XSS attacks.
Preconditions
- networkThe attacker must be able to send HTTP requests to the transfer.sh server
- authNo authentication is required to trigger the deletion endpoint
Generated on Jun 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-cf55-rq8x-hm6fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-33497ghsaADVISORY
- github.com/dutchcoders/transfer.sh/pull/373ghsax_refsource_CONFIRMWEB
- github.com/dutchcoders/transfer.sh/releases/tag/v1.2.4ghsax_refsource_MISCx_refsource_CONFIRMWEB
- vuln.ryotak.me/advisories/44ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.