Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS01ZjR4LWh3djItdzl3Ms4AA9l_

rejetto HFS vulnerable to OS Command Execution by remote authenticated users

rejetto HFS (aka HTTP File Server) 3 before 0.52.10 on Linux, UNIX, and macOS allows OS command execution by remote authenticated users (if they have Upload permissions). This occurs because a shell is used to execute df (i.e., with execSync instead of spawnSync in child_process in Node.js).

Permalink: https://github.com/advisories/GHSA-5f4x-hwv2-w9w2
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01ZjR4LWh3djItdzl3Ms4AA9l_
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 2 months ago
Updated: about 1 month ago

CVSS Score: 10.0
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Identifiers: GHSA-5f4x-hwv2-w9w2, CVE-2024-39943
References:

Repository: https://github.com/rejetto/hfs
Blast Radius: 3.0

Affected Packages

npm:hfs

Dependent packages: 1
Dependent repositories: 2
Downloads: 1,200 last month
Affected Version Ranges: < 0.52.10
Fixed in: 0.52.10
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.26.0, 0.26.1, 0.26.2, 0.26.4, 0.26.5, 0.26.6, 0.26.7, 0.26.8, 0.26.9, 0.27.2, 0.29.0, 0.29.1, 0.30.0, 0.30.1, 0.30.2, 0.31.0, 0.32.0, 0.33.0, 0.34.0, 0.34.1, 0.35.0, 0.36.0, 0.37.0, 0.38.1, 0.38.2, 0.38.3, 0.40.0, 0.40.1, 0.41.0, 0.42.2, 0.42.3, 0.43.0, 0.44.0, 0.45.0, 0.46.0, 0.46.1, 0.47.1, 0.47.2, 0.47.3, 0.48.0, 0.48.2, 0.48.3, 0.49.0, 0.49.2, 0.49.3, 0.49.4, 0.50.0, 0.50.1, 0.50.2, 0.50.4, 0.50.5, 0.50.6, 0.51.0, 0.51.1, 0.51.2, 0.51.3, 0.51.4, 0.52.0, 0.52.1, 0.52.2, 0.52.3, 0.52.4, 0.52.5, 0.52.6, 0.52.7, 0.52.8, 0.52.9
All unaffected versions: 0.52.10, 0.53.0