Skip to content

rejetto HFS vulnerable to OS Command Execution by remote authenticated users

Critical severity GitHub Reviewed Published Jul 5, 2024 to the GitHub Advisory Database • Updated Aug 7, 2024

Package

npm hfs (npm)

Affected versions

< 0.52.10

Patched versions

0.52.10

Description

rejetto HFS (aka HTTP File Server) 3 before 0.52.10 on Linux, UNIX, and macOS allows OS command execution by remote authenticated users (if they have Upload permissions). This occurs because a shell is used to execute df (i.e., with execSync instead of spawnSync in child_process in Node.js).

References

Published by the National Vulnerability Database Jul 4, 2024
Published to the GitHub Advisory Database Jul 5, 2024
Reviewed Jul 8, 2024
Last updated Aug 7, 2024

Severity

Critical

EPSS score

0.055%
(24th percentile)

Weaknesses

CVE ID

CVE-2024-39943

GHSA ID

GHSA-5f4x-hwv2-w9w2

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.