Charmindoge

**Name of the Vulnerable Software and Affected Versions** rejetto HFS (aka HTTP File Server) versions 3 before 0.52.10 **Description** The issue allows OS command execution by remote authenticated users who have Upload permissions. This occurs because a shell is used to execute `df` with `execSync` instead of `spawnSync` in `child process` in Node.js. A proof-of-concept exploit has been released, posing a significant threat to systems running versions of HFS before 0.52.10 on Linux, UNIX, and macOS. **Recommendations** Update to version 0.52.10 to stay protected. As a temporary workaround, consider restricting Upload permissions for remote authenticated users until the update is applied. Additionally, be cautious when using the `execSync` function in Node.js, as it can pose security risks if not used properly.