ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2021-47942 Path Traversal in HACS Leads to Home Assistant Account Takeover

A short review of CVE-2021-47942, a path traversal vulnerability in the Home Assistant Community Store (HACS) that allows unauthenticated attackers to read sensitive credential files and forge administrative JWT tokens.

CVE Analysis

6 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-16

Brief Summary: CVE-2021-47942 Path Traversal in HACS Leads to Home Assistant Account Takeover
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

An unauthenticated path traversal flaw in the Home Assistant Community Store (HACS) allows any network adjacent attacker to read the credential storage file from a Home Assistant instance and forge a valid administrative session, all without ever logging in. With a public exploit script available on Exploit DB and evidence of vulnerable instances exposed on the internet, this vulnerability represents a realistic and practical threat to the large HACS user base.

HACS is a custom integration for Home Assistant that provides a graphical interface for discovering, installing, and managing community created components. The project has approximately 7,300 stars and 1,500 forks on GitHub, reflecting widespread adoption within the Home Assistant ecosystem. Given that Home Assistant is one of the most popular open source home automation platforms, vulnerabilities in widely used integrations like HACS carry a significant potential blast radius.

Technical Information

Root Cause: Unsanitized File Parameter in /hacsfiles/

The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). The /hacsfiles/ endpoint in HACS accepted a file parameter and passed it directly, without any sanitization, to the function responsible for locating the file on the filesystem. The intended behavior was to serve files from the /www/community/ directory. However, because the input was never validated, an attacker could inject directory traversal sequences (e.g., ../../) to escape the intended directory and read any file accessible to the Home Assistant process.

The fix introduced in HACS version 1.10.0 applied a sanitize path function to the requested file parameter before it was used for filesystem lookups. Home Assistant Core version 2021.1.3 added an additional platform level defense that intercepts directory traversal attempts before they reach any custom integration code.

Attack Flow

The exploitation chain is straightforward and requires no authentication at any stage:

Step 1: Fingerprint HACS. The attacker confirms that HACS is installed on the target by requesting a known file, such as iconset.js, through the /hacsfiles/ endpoint. A successful response confirms the integration is present.

Step 2: Read the credential file. The attacker crafts a request using directory traversal sequences to read the .storage/auth file. This file is the persistence mechanism Home Assistant uses to maintain user sessions without requiring a password for every interaction.

Step 3: Extract token material. The .storage/auth file contains two critical sections: users and refresh_tokens. The attacker extracts a valid refresh_token value and its associated jwt_key.

Step 4: Forge a JWT. Using the extracted jwt_key, the attacker generates a new JSON Web Token signed with the HS256 algorithm. This token is cryptographically valid and indistinguishable from one generated by a legitimate session.

Step 5: Inject the token. The attacker places the crafted token into their browser's local storage under the key hassTokens.

Step 6: Gain administrative access. Upon navigating to the Home Assistant instance, the application accepts the forged token and grants the attacker full administrative privileges.

The entire chain, from initial fingerprinting to administrative access, requires nothing more than network reachability to the Home Assistant instance.

Affected Systems and Versions

All versions of the Home Assistant Community Store (HACS) prior to version 1.10.0 are affected.

The same class of directory traversal vulnerability was also identified in several other Home Assistant custom integrations:

  • Dwains Lovelace Dashboard (fixed in 2.0.1)
  • Font Awesome (fixed in 1.3.0)
  • BWAlarm ak74 edition (fixed in 1.12.8)
  • Simple Icons (fixed in 1.10.0)
  • Custom Updater, deprecated (fixed in latest commit)
  • Custom icons (no fix available; should be removed)

Home Assistant Core versions prior to 2021.1.3 lack the platform level directory traversal protections that mitigate this class of vulnerability across all custom integrations.

Vendor Security History

The Home Assistant project demonstrated a well coordinated security response to this disclosure. After receiving the report on January 14, 2021, the team worked with the authors of affected custom integrations to develop fixes before public disclosure. The response included publishing a security bulletin, displaying banners and forum notifications, updating Companion apps to warn users of insecure instances, and coordinating with Nabu Casa to email subscribers and activate features that block remote access for insecure versions. The platform level fix in Core 2021.1.3, which adds systemic protections against directory traversal in all custom integrations, reflects a thoughtful approach to addressing the root cause beyond just the individual vulnerability.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization