Login Sign Up

CVE-2021-40668

8.1 HIGH
Path Traversal

📋 TL;DR

This path traversal vulnerability in Android HTTP File Server 1.4.1 allows attackers to access, list, and modify files outside the intended directory. It affects users running this specific version of the file server application on Android devices. The vulnerability enables unauthorized file operations through specially crafted requests.

💻 Affected Systems

Products:
  • HTTP File Server by slowscript
Versions: Version 1.4.1
Operating Systems: Android
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects the specific Android application version; other platforms or versions are not vulnerable.

📦 What is this software?

Http File Server by Http File Server Project

View all CVEs affecting Http File Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of device file system including sensitive data theft, malware installation, or device takeover if combined with other vulnerabilities.

🟠

Likely Case

Unauthorized access to sensitive files stored on the device, potential data exfiltration, and file system manipulation.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls, restricting exposure to trusted networks only.

🌐 Internet-Facing: HIGH - If exposed to the internet, attackers can remotely exploit this without authentication.
🏢 Internal Only: MEDIUM - Still significant risk on internal networks, but requires attacker to have network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple path traversal payloads can be used; no authentication required for exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

Uninstall the vulnerable application and replace with alternative file server solutions.

🔧 Temporary Workarounds

Network Isolation

all

Restrict application access to trusted networks only

Configure firewall to block external access to port used by HTTP File Server

Application Removal

android

Uninstall vulnerable application completely

adb uninstall slowscript.httpfileserver
Settings > Apps > HTTP File Server > Uninstall

🧯 If You Can't Patch

  • Disable or uninstall the HTTP File Server application immediately
  • Implement strict network segmentation and firewall rules to prevent external access

🔍 How to Verify

Check if Vulnerable:

Check app version in Android settings: Settings > Apps > HTTP File Server > App info

Check Version:

adb shell dumpsys package slowscript.httpfileserver | grep versionName

Verify Fix Applied:

Confirm application is no longer installed or verify network access is properly restricted

📡 Detection & Monitoring

Log Indicators:

  • Unusual file access patterns
  • Requests containing '../' sequences
  • Access to files outside expected directories

Network Indicators:

  • HTTP requests with path traversal payloads to file server port
  • Unusual file download patterns

SIEM Query:

http.url:*../* AND dest_port:[PORT] AND app:"HTTP File Server"

📊 Metadata

CVE ID: CVE-2021-40668
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-22
Published: June 9, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-40668, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)