CVE-2024-39943

CRITICAL

rejetto HFS < 0.52.10 - Authenticated OS Command Injection via df Command Execution

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2024-39943. PoCs published by JenmrR, Heyholiday067.

AI-analyzed exploit summary This repository contains a functional exploit PoC for CVE-2024-39943, demonstrating a Remote Command Execution (RCE) vulnerability in a Node.js-based HFS server. The exploit leverages a file upload feature that executes the uploaded file's content as a system command using `child_process.execSync()`.

Description

rejetto HFS (aka HTTP File Server) 3 before 0.52.10 on Linux, UNIX, and macOS allows OS command execution by remote authenticated users (if they have Upload permissions). This occurs because a shell is used to execute df (i.e., with execSync instead of spawnSync in child_process in Node.js).

Exploits (2)

nomisec WORKING POC

by JenmrR · poc

https://github.com/JenmrR/Node.js-CVE-2024-39943

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2024-39943, demonstrating a Remote Command Execution (RCE) vulnerability in a Node.js-based HFS server. The exploit leverages a file upload feature that executes the uploaded file's content as a system command using `child_process.execSync()`.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Node.js-based HFS server (custom implementation)

No auth needed

Prerequisites: Access to the vulnerable server's upload endpoint

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by Heyholiday067 · poc

https://github.com/Heyholiday067/CVE-2024-39943-Poc

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2024-39943, which leverages improper command execution in rejetto HFS (HTTP File Server) on Linux/UNIX/macOS. The PoC uses authenticated API calls to create a folder with a malicious name that triggers command injection via the `df` command execution mechanism.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: rejetto HFS (HTTP File Server) 3 before 0.52.10

Auth required

Prerequisites: Authenticated user with Upload permissions · Target server running vulnerable HFS version · Network access to the target

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Core References

Patch

https://github.com/rejetto/hfs/commit/305381bd36eee074fb238b64302a252668daad1d

View Patch ZIP pw:eip

Patch

https://github.com/rejetto/hfs/compare/v0.52.9...v0.52.10

Product

https://www.rejetto.com/wiki/index.php/HFS:_Working_with_uploads

Scores

CVSS v3 9.9

EPSS 0.7834

EPSS Percentile 99.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-78 CWE-284

Status published

Products (2)

npm/hfs 0 - 0.52.10npm

rejetto/http_file_server < 0.52.10

Published Jul 04, 2024

Tracked Since Feb 18, 2026