CVE-2021-47942 Overview
CVE-2021-47942 is a path traversal vulnerability [CWE-22] in Home Assistant Community Store (HACS) version 1.10.0. The flaw resides in the /hacsfiles/ endpoint, which fails to sanitize directory traversal sequences in requests. Unauthenticated remote attackers can read arbitrary files on the host filesystem by traversing outside the intended directory. The most impactful target is the .storage/auth file, which contains user credentials and refresh tokens. Attackers use the leaked refresh tokens to forge valid JSON Web Tokens (JWTs) and obtain administrative access to the underlying Home Assistant instance. This converts a file read primitive into full account takeover of smart-home automation infrastructure.
Critical Impact
Unauthenticated attackers can read the .storage/auth file via /hacsfiles/ and forge JWTs to gain administrative control of Home Assistant.
Affected Products
- Home Assistant Community Store (HACS) version 1.10.0
- Home Assistant deployments with HACS 1.10.0 installed
- Any internet-exposed Home Assistant instance running the vulnerable HACS integration
Discovery Timeline
- 2026-05-16 - CVE-2021-47942 published to the National Vulnerability Database (NVD)
- 2026-05-18 - Record last modified in NVD
Technical Details for CVE-2021-47942
Vulnerability Analysis
The vulnerability is a classic directory traversal flaw in a static file handler. HACS registers the /hacsfiles/ HTTP route to serve community integration assets from a designated content directory. The handler concatenates user-supplied path segments to the base directory without validating or canonicalizing them. As a result, sequences such as ../ traverse upward from the intended root and reach sensitive configuration files. The attack does not require authentication, user interaction, or any local foothold. Because Home Assistant stores long-lived refresh tokens in plaintext within .storage/auth, a single read primitive escalates directly into authenticated session forgery and administrative compromise.
Root Cause
The root cause is missing input validation on the file path component of requests to /hacsfiles/. The handler resolves relative path traversal sequences before opening the requested file, instead of rejecting them or constraining resolution to the content root. This violates the secure file serving pattern defined in [CWE-22], which requires canonicalization and prefix-bound checks against an allow-listed base directory.
Attack Vector
The attack vector is network based and unauthenticated. An attacker sends a crafted HTTP GET request to the HACS endpoint containing repeated ../ sequences followed by the target file path, for example /hacsfiles/../../.storage/auth. The server returns the file contents in the HTTP response body. The attacker parses the JSON response to extract the refresh_token value, then submits it to the Home Assistant /auth/token endpoint to mint a short-lived access JWT. With this token, the attacker performs any action available to the targeted user, including invoking services, modifying automations, and pivoting to integrated devices. A public proof of concept is published as Exploit-DB #49495, and further analysis is available in the VulnCheck Advisory on Home Assistant path traversal.
Detection Methods for CVE-2021-47942
Indicators of Compromise
- HTTP requests to /hacsfiles/ containing ../, ..%2f, or other encoded traversal sequences in access logs
- Successful HTTP 200 responses from /hacsfiles/ for paths referencing .storage/auth, configuration.yaml, or secrets.yaml
- New or unexpected access token grants from /auth/token shortly after suspicious /hacsfiles/ traffic
- Administrative actions originating from unfamiliar source IP addresses or user agents
Detection Strategies
- Inspect Home Assistant and reverse proxy logs for traversal patterns in any URI beginning with /hacsfiles/
- Correlate file-read style requests with subsequent token issuance events in the same session window
- Alert on outbound responses from /hacsfiles/ that exceed expected sizes for static asset delivery
Monitoring Recommendations
- Forward Home Assistant home-assistant.log and HTTP access logs to a centralized SIEM for traversal pattern matching
- Monitor authentication audit events for refresh tokens used from new IP addresses or geolocations
- Track file integrity on .storage/auth and alert on unexpected read access at the operating system layer
How to Mitigate CVE-2021-47942
Immediate Actions Required
- Upgrade HACS to a version later than 1.10.0 that addresses the /hacsfiles/ traversal handling
- Invalidate all existing refresh tokens by clearing .storage/auth entries and forcing re-authentication for every user
- Rotate API keys, integration secrets, and credentials referenced in secrets.yaml
- Remove direct internet exposure of Home Assistant and place it behind an authenticated reverse proxy or VPN
Patch Information
Apply the latest release of the HACS integration from the official GitHub HACS Integration Repository. Verify that the deployed version is above 1.10.0 after restart. Refer to the Home Assistant Official Site for guidance on supported core versions and upgrade procedures.
Workarounds
- Block requests containing .., %2e%2e, or %2f in the path component of /hacsfiles/ URIs at a reverse proxy or web application firewall
- Restrict access to the Home Assistant UI to trusted IP ranges using network ACLs until patching is complete
- Disable or uninstall the HACS integration on instances where it is not required
# Example NGINX rule to block traversal attempts against /hacsfiles/
location /hacsfiles/ {
if ($request_uri ~* "\.\.|%2e%2e") {
return 403;
}
proxy_pass http://homeassistant:8123;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
