HFS user adding a "web link" in HFS is vulnerable to "target=_blank" exploit
- Severity:
- Low
Description
When adding a “web link” to the HFS virtual filesystem, the frontend opens it with target="_blank" but without the rel="noopener noreferrer" attribute. This allows the opened page to use the window.opener property to change the location of the original HFS tab.
Recommendation
Update the hfs package to the latest compatible version. Followings are version details:
- Affected version(s): <= 0.57.9
- Patched version(s): 0.57.10
References
Related Issues
- DOM Clobbering Gadget found in astro's client-side router that leads to XSS - CVE-2024-47885
- Webrecorder packages are vulnerable to XSS through 404 error handling logic - CVE-2025-58765
- rejetto HFS vulnerable to OS Command Execution by remote authenticated users - CVE-2024-39943
- @strapi/plugin-content-manager leaks data via relations via the Admin Panel - CVE-2024-29181
- Tags:
- npm
- hfs
Anything's wrong? Let us know Last updated on August 12, 2025