← back
CVE-2024-39943

CVE-2024-39943

CVSS 9.9 CRITICALEPSS 48.5%CWE-284
rejetto HFS (aka HTTP File Server) 3 before 0.52.10 on Linux, UNIX, and macOS allows OS command execution by remote authenticated users (if they have Upload permissions). This occurs because a shell is used to execute df (i.e., with execSync instead of spawnSync in child_process in Node.js).
CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:L/S:C/UI:N
Affected products
n/a · n/a
public PoCs found2
githubgithub.com/Heyholiday067/CVE-2024-39943-Poc0githubgithub.com/JenmrR/Node.js-CVE-2024-399430
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/rejetto/hfs/commit/305381bd36eee074fb238b64302a252668daad1dhttps://github.com/rejetto/hfs/compare/v0.52.9...v0.52.10https://www.rejetto.com/wiki/index.php/HFS:_Working_with_uploads