CVE-2024-39943

Name of the Vulnerable Software and Affected Versions rejetto HFS (aka HTTP File Server) versions 3 before 0.52.10

Description The issue allows OS command execution by remote authenticated users who have Upload permissions. This occurs because a shell is used to execute df with execSync instead of spawnSync in child process in Node.js. A proof-of-concept exploit has been released, posing a significant threat to systems running versions of HFS before 0.52.10 on Linux, UNIX, and macOS.

Recommendations Update to version 0.52.10 to stay protected. As a temporary workaround, consider restricting Upload permissions for remote authenticated users until the update is applied. Additionally, be cautious when using the execSync function in Node.js, as it can pose security risks if not used properly.