hfs@3.2.0-rc8

HTTP File Server

  • latest version

    3.2.1

  • latest non vulnerable version

  • first published

    14 years ago

  • latest version published

    6 days ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the hfs package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • C
    Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

    hfs is a HTTP File Server

    Affected versions of this package are vulnerable to Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) via predictable randomness in the authentication/session handling code in src/index.ts and src/api.auth.ts. An attacker can forge an administrator session cookie by collecting a few login responses, reconstructing the Math.random() state used to derive the session-signing key and login handshake identifier, and then generating a valid cookie. This breaks authentication and gives the attacker full administrative access to the server. In deployments that expose the server_code configuration feature, that access leads to remote code execution.

    How to fix Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)?

    Upgrade hfs to version 3.2.1 or higher.

    >=3.0.0 <3.2.1
    • M
    Cross-site Scripting (XSS)

    hfs is a HTTP File Server

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) through the basicWeb file-listing renderer in src/basicWeb.ts. An attacker can execute script in a victim’s browser by uploading a file with a malicious name and getting someone to open the fallback basic listing, including by forcing /?get=basic in a browser. The listing interpolates file names directly into HTML anchor text without escaping, so the payload is rendered as active markup instead of plain text. On servers that allow uploads to untrusted users, or expose an open upload folder anonymously, this lets the attacker store script in the listing and hijack the browsing session of anyone viewing it.

    How to fix Cross-site Scripting (XSS)?

    Upgrade hfs to version 3.2.1 or higher.

    <3.2.1
    • M
    Directory Traversal

    hfs is a HTTP File Server

    Affected versions of this package are vulnerable to Directory Traversal through the lang query parameter in the language-loading code in src/api.lang.ts and src/lang.ts. An attacker can read certain JSON files outside the shared folders by sending a crafted /?lang=... request that injects traversal segments into the language code. The affected code uses the lang value to select translation files without sufficiently constraining it to a valid language identifier, so a remote unauthenticated attacker can trigger limited file disclosure and expose application data that matches the expected JSON filename pattern.

    How to fix Directory Traversal?

    Upgrade hfs to version 3.2.1 or higher.

    >=3.0.0 <3.2.1
    • M
    Information Exposure

    hfs is a HTTP File Server

    Affected versions of this package are vulnerable to Information Exposure via differing responses in the loginSrp1 authentication handler in src/api.auth.ts. An attacker can confirm whether an account name exists, including the default admin account, by sending SRP step-1 login requests and comparing the endpoint’s response status and salt behavior for valid versus missing usernames. The login flow returns an immediate unauthorized response for unknown usernames while valid accounts proceed through SRP step 1, creating an observable difference without authentication. This lets a remote unauthenticated attacker probe usernames and then use the confirmed names to support password-guessing and session-forgery attacks.

    How to fix Information Exposure?

    Upgrade hfs to version 3.2.1 or higher.

    <3.2.1
    • M
    Cross-site Request Forgery (CSRF)

    hfs is a HTTP File Server

    Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) via the apiMiddleware request filter in src/apiMiddleware.ts. An attacker can create accounts or change configuration by causing a logged-in administrator’s browser to send a state-changing API request with the GET method and no x-hfs-anti-csrf header. The vulnerable middleware treated non-POST requests as CSRF-safe, so browser-triggered GET API calls bypassed the anti-CSRF check and reached administrative handlers such as add_account. In default deployments, the same flaw allows a remote attacker to trigger administrative actions without credentials if the request originates from the server’s own machine.

    How to fix Cross-site Request Forgery (CSRF)?

    Upgrade hfs to version 3.2.1 or higher.

    <3.2.1