CVE-2024-39943: 
JavaScript vulnerability analysis and mitigation

A critical vulnerability (CVE-2024-39943) has been identified in rejetto HFS (HTTP File Server) version 3 before 0.52.10 affecting Linux, UNIX, and macOS systems. The vulnerability allows remote authenticated users with upload permissions to execute operating system commands. This security flaw was discovered and reported by security researcher Charmin Doge (Security Online).

The vulnerability stems from the improper implementation of command execution in HFS, specifically in how it handles the df command. The issue occurs because the system uses execSync instead of spawnSync in the Node.js child_process, which inadvertently enables shell command execution. The vulnerability has received a Critical CVSS v3.1 score of 9.9 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) and is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command) and CWE-284 (Improper Access Control) (NVD).

The vulnerability enables authenticated users with upload permissions to execute arbitrary operating system commands on the affected systems. This could potentially lead to complete system compromise, allowing attackers to gain unauthorized access to sensitive data, modify system configurations, or execute malicious code (ASEC).

Users are strongly advised to update their HFS installation to version 0.52.10 or later, which contains the fix for this vulnerability. The patch replaces the vulnerable execSync call with spawnSync in the Node.js child_process implementation. For systems that cannot be immediately updated, it is recommended to restrict upload permissions to only trusted users and implement additional security controls such as firewalls and intrusion detection systems (Security Online).