CVE-2024-39943
Description
Authenticated users with Upload permissions can execute arbitrary OS commands on Linux/macOS HFS 3 servers via shell injection in the df command.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated users with Upload permissions can execute arbitrary OS commands on Linux/macOS HFS 3 servers via shell injection in the `df` command.
Vulnerability
CVE-2024-39943 is a command injection vulnerability in rejetto HFS (HTTP File Server) 3, affecting versions before 0.52.10 on Linux, UNIX, and macOS. The root cause is the use of execSync from Node.js's child_process module to invoke the df command with user-controlled path input. Unlike spawnSync, execSync runs the command through a shell, which allows an attacker to inject additional OS commands by embedding shell metacharacters in the file path.[1][4]
Exploitation
To exploit this vulnerability, an attacker must be an authenticated HFS user with Upload permissions. The attacker can upload a file with a crafted filename containing shell metacharacters (e.g., backticks or $()). When the server later queries disk space for that file (e.g., during directory listing or upload processing), the injected command is executed via execSync. No additional network position or authentication bypass is required beyond valid credentials with upload privileges.[1]
Impact
Successful exploitation allows a remote authenticated attacker to execute arbitrary OS commands on the HFS server with the privileges of the server process. This can lead to full compromise of the server, including data exfiltration, installation of backdoors, or lateral movement within the network. The vulnerability is rated with a high CVSS severity due to the low complexity and potential for complete system control.[1]
Mitigation
The vulnerability was fixed in HFS version 0.52.10, released on July 3, 2024. The commit replaces execSync with spawnSync, which does not pass arguments through a shell, preventing command injection.[4] Users should upgrade to the latest version immediately. No workaround is available for unpatched versions. The vulnerability is not known to be listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
hfsnpm | < 0.52.10 | 0.52.10 |
Affected products
2- rejetto/HFSdescription
Patches
2305381bd36eefix: remote-execution with upload permissions on mac+linux. Thanks to @charmindoge for reporting (CVE requested)
1 file changed · +2 −2
src/util-os.ts+2 −2 modified@@ -1,6 +1,6 @@ import { dirname, resolve } from 'path' import { existsSync } from 'fs' -import { exec, execSync } from 'child_process' +import { exec, execSync, spawnSync } from 'child_process' import { onlyTruthy, splitAt, try_ } from './misc' import _ from 'lodash' import { pid } from 'node:process' @@ -18,7 +18,7 @@ export function getDiskSpaceSync(path: string) { } while (path && !existsSync(path)) path = dirname(path) - const out = try_(() => execSync(`df -k "${path}"`).toString(), + const out = try_(() => spawnSync('df', ['-k', path]).stdout.toString(), err => { throw err.status === 1 ? Error('miss') : err.status === 127 ? Error('unsupported') : err }) if (!out?.startsWith('Filesystem')) throw Error('unsupported')
0fc82dc77364Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-5f4x-hwv2-w9w2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-39943ghsaADVISORY
- github.com/rejetto/hfs/commit/305381bd36eee074fb238b64302a252668daad1dghsaWEB
- github.com/rejetto/hfs/compare/v0.52.9...v0.52.10ghsaWEB
- www.rejetto.com/wiki/index.php/HFS:_Working_with_uploadsghsaWEB
News mentions
0No linked articles in our index yet.