Description
Rejetto HFS 3.0.0 through 3.2.0 allows path traversal through the lang query parameter, permitting a remote unauthenticated attacker to read certain JSON files outside the shared folders. Exploitation is constrained to files matching a narrow naming and format pattern, limiting practical impact.
Problem types
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Product status
3.0.0 (semver) before 3.2.1
Credits
Zach Hanley (@hacks_zach) of Horizon3.ai, in collaboration with Claude and Anthropic Research
References
github.com/rejetto/hfs/releases/tag/v3.2.1 (hfs v3.2.1 Release Notes)
www.vulncheck.com/...re-via-path-traversal-in-lang-parameter