Introduction
An unauthenticated path traversal flaw in the Home Assistant Community Store (HACS) allows any network adjacent attacker to read the credential storage file from a Home Assistant instance and forge a valid administrative session, all without ever logging in. With a public exploit script available on Exploit DB and evidence of vulnerable instances exposed on the internet, this vulnerability represents a realistic and practical threat to the large HACS user base.
HACS is a custom integration for Home Assistant that provides a graphical interface for discovering, installing, and managing community created components. The project has approximately 7,300 stars and 1,500 forks on GitHub, reflecting widespread adoption within the Home Assistant ecosystem. Given that Home Assistant is one of the most popular open source home automation platforms, vulnerabilities in widely used integrations like HACS carry a significant potential blast radius.
Technical Information
Root Cause: Unsanitized File Parameter in /hacsfiles/
The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). The /hacsfiles/ endpoint in HACS accepted a file parameter and passed it directly, without any sanitization, to the function responsible for locating the file on the filesystem. The intended behavior was to serve files from the /www/community/ directory. However, because the input was never validated, an attacker could inject directory traversal sequences (e.g., ../../) to escape the intended directory and read any file accessible to the Home Assistant process.
The fix introduced in HACS version 1.10.0 applied a sanitize path function to the requested file parameter before it was used for filesystem lookups. Home Assistant Core version 2021.1.3 added an additional platform level defense that intercepts directory traversal attempts before they reach any custom integration code.
Attack Flow
The exploitation chain is straightforward and requires no authentication at any stage:
Step 1: Fingerprint HACS. The attacker confirms that HACS is installed on the target by requesting a known file, such as iconset.js, through the /hacsfiles/ endpoint. A successful response confirms the integration is present.
Step 2: Read the credential file. The attacker crafts a request using directory traversal sequences to read the .storage/auth file. This file is the persistence mechanism Home Assistant uses to maintain user sessions without requiring a password for every interaction.
Step 3: Extract token material. The .storage/auth file contains two critical sections: users and refresh_tokens. The attacker extracts a valid refresh_token value and its associated jwt_key.
Step 4: Forge a JWT. Using the extracted jwt_key, the attacker generates a new JSON Web Token signed with the HS256 algorithm. This token is cryptographically valid and indistinguishable from one generated by a legitimate session.
Step 5: Inject the token. The attacker places the crafted token into their browser's local storage under the key hassTokens.
Step 6: Gain administrative access. Upon navigating to the Home Assistant instance, the application accepts the forged token and grants the attacker full administrative privileges.
The entire chain, from initial fingerprinting to administrative access, requires nothing more than network reachability to the Home Assistant instance.
Affected Systems and Versions
All versions of the Home Assistant Community Store (HACS) prior to version 1.10.0 are affected.
The same class of directory traversal vulnerability was also identified in several other Home Assistant custom integrations:
- Dwains Lovelace Dashboard (fixed in 2.0.1)
- Font Awesome (fixed in 1.3.0)
- BWAlarm ak74 edition (fixed in 1.12.8)
- Simple Icons (fixed in 1.10.0)
- Custom Updater, deprecated (fixed in latest commit)
- Custom icons (no fix available; should be removed)
Home Assistant Core versions prior to 2021.1.3 lack the platform level directory traversal protections that mitigate this class of vulnerability across all custom integrations.
Vendor Security History
The Home Assistant project demonstrated a well coordinated security response to this disclosure. After receiving the report on January 14, 2021, the team worked with the authors of affected custom integrations to develop fixes before public disclosure. The response included publishing a security bulletin, displaying banners and forum notifications, updating Companion apps to warn users of insecure instances, and coordinating with Nabu Casa to email subscribers and activate features that block remote access for insecure versions. The platform level fix in Core 2021.1.3, which adds systemic protections against directory traversal in all custom integrations, reflects a thoughtful approach to addressing the root cause beyond just the individual vulnerability.
References
- NVD Entry for CVE-2021-47942
- VulnCheck Advisory: Home Assistant Community Store Path Traversal Account Takeover
- Exploit DB: Home Assistant Community Store (HACS) 1.10.0 Directory Traversal (ID 49495)
- Home Assistant Security Disclosure Blog Post
- HACS Integration GitHub Repository
- HACS Fix Commit: Change File Handling (f2b7cb7)
- Home Assistant Official Website



