HACS Path Traversal CVE-2021-47942 Lets Attackers Steal Home

Executive Summary

A path traversal vulnerability in the Home Assistant Community Store (HACS) version 1.10.0 — tracked as CVE-2021-47942 with a CVSS base score of 7.5 — allows unauthenticated attackers to read arbitrary files from the Home Assistant filesystem by sending specially crafted requests to the /hacfsiles/ endpoint. According to the NVD entry and the project's GitHub repository, an attacker can retrieve the .storage/auth file, which contains user credentials and refresh tokens. With those tokens, the attacker can forge valid JSON Web Tokens (JWTs) and escalate privileges to full administrative control over the Home Assistant instance. The flaw was patched in HACS version 1.10.1, but no public advisory was issued at the time of disclosure.

Technical Analysis

HACS is a community-driven component store for Home Assistant, an open-source home automation platform. The vulnerability resides in the way HACS 1.10.0 handles file serving through the /hacfsiles/ URL path. The endpoint fails to sanitize directory traversal sequences (../), enabling an attacker to navigate outside the intended web root and read arbitrary files with the privileges of the Home Assistant process.

The most critical target is the .storage/auth file, which stores authentication material including user credentials and refresh tokens. By exfiltrating this file, an attacker can reconstruct valid JWT tokens without needing to authenticate. These tokens can then be used to authenticate as any user, including the administrator, granting full control over the Home Assistant instance — including automation rules, connected devices, and sensitive configuration data.

The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). The CVSS 7.5 score reflects the low attack complexity (no authentication required, network-based attack vector) and the high confidentiality impact. Integrity and availability are not directly affected, but the subsequent privilege escalation can lead to full system compromise.

The HACS project addressed the issue in version 1.10.1 by implementing proper input validation and path normalization on the /hacfsiles/ endpoint. The fix was merged into the main branch without a formal security advisory; users relying on older versions remain exposed.

Mitigations & Recommendations

Home Assistant users running HACS should immediately verify their installed version and upgrade to 1.10.1 or later if they have not already done so. The upgrade can be performed through the HACS interface or by reinstalling the component from the official repository.

For users who cannot immediately upgrade, network-level mitigations are advised: restrict access to the Home Assistant web interface to trusted IP addresses or VPN connections, and place the instance behind a reverse proxy with rules that block path traversal patterns in URL paths. Monitoring logs for requests containing ../ sequences targeting /hacfsiles/ may also help detect exploitation attempts.

Because the vulnerability allows unauthenticated file read, any exposed Home Assistant instance on the public internet is at risk. Users should assume that if their instance was accessible during the vulnerable period, credentials and tokens may have been compromised and should be rotated.