rejetto HFS vulnerable to OS Command Execution by remote authenticated users
- Severity:
- High
Description
rejetto HFS (aka HTTP File Server) 3 before 0.52.10 on Linux, UNIX, and macOS allows OS command execution by remote authenticated users (if they have Upload permissions). This occurs because a shell is used to execute df (i.e., with execSync instead of spawnSync in child_process in Node.js).
Recommendation
Update the hfs package to the latest compatible version. Followings are version details:
- Affected version(s): < 0.52.10
- Patched version(s): 0.52.10
References
- GHSA-5f4x-hwv2-w9w2
- www.rejetto.com
- CVE-2024-39943
- CWE-284
- CWE-78
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Regular Expression Denial of Service (ReDoS) in lodash (GHSA-29mw-wpgm-hmr9) - CVE-2020-28500
- CKEditor 5 cross-site scripting (XSS) vulnerability in the clipboard package - CVE-2025-58064
- Payload's SQLite adapter Session Fixation vulnerability (GHSA-26rv-h2hf-3fw4) - CVE-2025-4644
- HFS user adding a "web link" in HFS is vulnerable to "target=_blank" exploit - Vulnerability
- Tags:
- npm
- hfs
Anything's wrong? Let us know Last updated on November 18, 2024