CVE-2024-39943

CRITICAL

Rejetto HTTP File Server < 0.52.10 - Improper Access Control

Title source: rule

Description

rejetto HFS (aka HTTP File Server) 3 before 0.52.10 on Linux, UNIX, and macOS allows OS command execution by remote authenticated users (if they have Upload permissions). This occurs because a shell is used to execute df (i.e., with execSync instead of spawnSync in child_process in Node.js).

Exploits (3)

nomisec WORKING POC

by JenmrR · poc

https://github.com/JenmrR/Node.js-CVE-2024-39943

View Code ZIP pw:eip

nomisec WORKING POC

by Heyholiday067 · poc

https://github.com/Heyholiday067/CVE-2024-39943-Poc

View Code ZIP pw:eip

inthewild

poc

https://github.com/truonghuuphuc/cve-2024-39943-poc

View on inthewild

References (3)

[Patch] https://github.com/rejetto/hfs/commit/305381bd36eee074fb238b64302a252668daad1d

[Patch] https://github.com/rejetto/hfs/compare/v0.52.9...v0.52.10

[Product] https://www.rejetto.com/wiki/index.php/HFS:_Working_with_uploads

Scores

CVSS v3 9.9

EPSS 0.7834

EPSS Percentile 99.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Details

CWE

CWE-78 CWE-284

Status published

Products (2)

npm/hfs 0 - 0.52.10npm

rejetto/http_file_server < 0.52.10

Published Jul 04, 2024

Tracked Since Feb 18, 2026