CVE-2021-33497 – This vulnerability allows attackers to delete a... (How to Fix)

Q: What is the severity of CVE-2021-33497?

CVE-2021-33497 has a CVSS score of 9.1 (CRITICAL). This vulnerability allows attackers to delete arbitrary files on the server through directory traversal in the file deletion functionality of transfer.sh. It affects all users running transfer.sh versions before 1.2.4. Attackers can exploit this to delete critical system files or application data.

📋 TL;DR

This vulnerability allows attackers to delete arbitrary files on the server through directory traversal in the file deletion functionality of transfer.sh. It affects all users running transfer.sh versions before 1.2.4. Attackers can exploit this to delete critical system files or application data.

💻 Affected Systems

Products:

dutchcoders transfer.sh

Versions: All versions before 1.2.4

Operating Systems: All platforms running transfer.sh

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments of transfer.sh before version 1.2.4 are vulnerable regardless of configuration.

📦 What is this software?

Transfer.sh by Dutchcoders

View all CVEs affecting Transfer.sh →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through deletion of critical system files (like /etc/passwd, SSH keys, or application configuration files), leading to service disruption, data loss, or privilege escalation.

🟠

Likely Case

Unauthorized deletion of application files, user uploads, or configuration files causing service disruption and data loss for the transfer.sh service.

🟢

If Mitigated

Limited impact to non-critical files if proper file permissions and isolation are implemented, though service disruption is still possible.

🌐 Internet-Facing: HIGH - transfer.sh is typically deployed as an internet-facing file sharing service, making it directly accessible to attackers.

🏢 Internal Only: MEDIUM - If deployed internally only, risk is reduced but still significant if internal users can exploit it.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is in the file deletion endpoint and requires minimal technical skill to exploit. Public proof-of-concept details are available in the advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.4

Vendor Advisory: https://github.com/dutchcoders/transfer.sh/releases/tag/v1.2.4

Restart Required: Yes

Instructions:

1. Stop the transfer.sh service. 2. Update to version 1.2.4 or later using 'go get github.com/dutchcoders/transfer.sh' or download the release. 3. Rebuild and restart the service.

🔧 Temporary Workarounds

Disable file deletion functionality

all

Remove or disable the file deletion endpoint entirely if not required

Modify server configuration to disable DELETE endpoints
Comment out deletion routes in source code

Implement strict file path validation

all

Add input validation to prevent directory traversal in file paths

Implement path sanitization before file operations
Use absolute path resolution with boundary checks

🧯 If You Can't Patch

Implement network-level controls to restrict access to the deletion endpoint
Deploy the service in a container with read-only filesystem for critical directories

🔍 How to Verify

Check if Vulnerable:

Check if running transfer.sh version is below 1.2.4 using the version flag or by examining the binary

Check Version:

./transfer.sh --version or check the binary/build information

Verify Fix Applied:

Confirm version is 1.2.4 or higher and test deletion functionality with traversal attempts

📡 Detection & Monitoring

Log Indicators:

Multiple failed file deletion attempts with unusual paths
DELETE requests containing '../' sequences
File deletion errors for non-existent paths outside expected directories

Network Indicators:

HTTP DELETE requests with path traversal sequences
Unusual patterns of file deletion requests

SIEM Query:

method=DELETE AND (uri CONTAINS "../" OR uri CONTAINS "..\")

📊 Metadata

CVE ID: CVE-2021-33497

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-22

Published: May 24, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/dutchcoders/transfer.sh/pull/373 Patch,Third Party Advisory
https://github.com/dutchcoders/transfer.sh/releases/tag/v1.2.4 Third Party Advisory
https://github.com/dutchcoders/transfer.sh/releases/tag/v1.2.4 Third Party Advisory
https://vuln.ryotak.me/advisories/44 Third Party Advisory
https://github.com/dutchcoders/transfer.sh/pull/373 Patch,Third Party Advisory
https://github.com/dutchcoders/transfer.sh/releases/tag/v1.2.4 Third Party Advisory
https://github.com/dutchcoders/transfer.sh/releases/tag/v1.2.4 Third Party Advisory
https://vuln.ryotak.me/advisories/44 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-33497, you might also want to check these: