GHSA-xcxh-6cv4-q8p8
HFS user adding a "web link" in HFS is vulnerable to "target=_blank" exploit
Blast Radius
hfsReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects npm packages — download data is not available via public APIs for these ecosystems.
Description
Summary
When adding a "web link" to the HFS virtual filesystem, the frontend opens it with target="_blank" but without the rel="noopener noreferrer" attribute. This allows the opened page to use the window.opener property to change the location of the original HFS tab.
Details
While most modern browsers have fixes already implemented for this target="_blank" exploit at the browser level, users on outdated browsers remain vulnerable. This means that if an admin of the HFS instance adds a link to an external third-party service (that they believe is safe at the time) and that service they added later becomes compromised, the malicious page could replace the original HFS tab's content with a phishing page. This does not require the admin account itself to be compromised, only that a legitimate linked site turns malicious.
Impact
Affected users (people using old browsers without the browser level fix) could be misled into entering their HFS credentials or other sensitive information into a fake site controlled by an attacker. This vulnerability is fixed in most modern browsers, but adding rel="noopener noreferrer" remains a best practice to protect legacy environments.
PoC
Firstly, in the HFS admin page, under the filesystem (/~/admin/#/fs) press "Add" then "web link" then set the link to take the user to to an HTML file that exploits this vulnerability, here is an example of a malicious HTML file's code:
<body>
<script>
window.opener.location = "https://example.org";
</script>
<b>Error loading...</b>
</body>
</html>
Now, in the HFS folder you placed this web link in, open HFS and click the web link, if you aren't on a modern browser that fixed this vulnerability on the browser level, then switch back to the HFS tab that opened it, and you should be taken to "https://example.org" if you tried the code I provided, or whatever other page you tried.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 📦npm | hfs | all versions | 0.57.10 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for hfs. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update hfs to 0.57.10 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-xcxh-6cv4-q8p8 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-xcxh-6cv4-q8p8 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-xcxh-6cv4-q8p8. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-xcxh-6cv4-q8p8 in your dependencies?
O3 detects GHSA-xcxh-6cv4-q8p8 across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.