GHSA-7QX6-F23W-3W7F
Vulnerability from github – Published: 2026-04-14 22:53 – Updated: 2026-04-14 22:53
VLAI?
Summary
Unauthenticated Open Redirect, Arbitrary HTTP Response Header Injection, Missing CSRF, and Invisible-Mode Bypass in goshs `/?redirect` endpoint
Details
Summary
The GET /?redirect endpoint in goshs v2.0.0-beta.6 performs an HTTP redirect to any attacker-supplied url= value and writes any attacker-supplied header=Name: Value pair into the response, without scheme/host validation, without a header-name allow-list, without authentication in the default deployment, and without the checkCSRF() guard that GHSA-jrq5-hg6x-j6g3 added to the other state-changing GET routes (?mkdir, ?delete). The same dispatcher also lacks an fs.Invisible branch, so the endpoint stays responsive in -I stealth mode and reliably fingerprints an "invisible" goshs deployment with a single request.
Details
httpserver/handler.go:222-228 — the dispatcher gates ?redirect only with denyForTokenAccess (which only blocks share-token callers). It does not check fs.Invisible and does not call checkCSRF:
if _, ok := req.URL.Query()["redirect"]; ok {
if denyForTokenAccess(w, req) {
return true
}
fs.handleRedirect(w, req)
return true
}
httpserver/handler.go:753-787 — handleRedirect:
func (fs *FileServer) handleRedirect(w http.ResponseWriter, req *http.Request) {
q := req.URL.Query()
target := q.Get("url") // (1) no scheme/host validation
if target == "" { /* 400 */ }
status := http.StatusFound
if s := q.Get("status"); s != "" { // (2) only constrained to 3xx
code, err := strconv.Atoi(s)
if err != nil || code < 300 || code > 399 { /* 400 */ }
status = code
}
for _, h := range q["header"] { // (3) arbitrary header set
parts := strings.SplitN(h, ": ", 2)
if len(parts) != 2 || strings.TrimSpace(parts[0]) == "" { /* 400 */ }
w.Header().Set(strings.TrimSpace(parts[0]), parts[1])
}
http.Redirect(w, req, target, status) // (4) attacker Location
body := fs.emitCollabEvent(req, status)
logger.LogRequest(req, status, fs.Verbose, fs.Webhook, body)
}
httpserver/server.go:85-100 — BasicAuthMiddleware is registered only when fs.User != "" || fs.Pass != ""; the default goshs invocation has neither, so ?redirect is open to anyone on the network.Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer.
PoC
poc.zip Please extract the uploaded compressed file before proceeding
- docker build -t goshs-poc .
- sh poc.sh
Impact
- Cross-subdomain session fixation —
Set-Cookie: …; Domain=.corp.comlands a fixed session on every sibling app on the parent domain. - TLS downgrade —
Strict-Transport-Security: max-age=0invalidates prior HSTS state for the origin, enabling MITM on subsequent visits.
Severity ?
0.0 (None)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/patrickhener/goshs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.1.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/patrickhener/goshs/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.0.0-beta.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-14T22:53:33Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Summary\nThe `GET /?redirect` endpoint in `goshs` v2.0.0-beta.6 performs an HTTP redirect to any attacker-supplied `url=` value and writes any attacker-supplied `header=Name: Value` pair into the response, without scheme/host validation, without a header-name allow-list, without authentication in the default deployment, and without the `checkCSRF()` guard that GHSA-jrq5-hg6x-j6g3 added to the other state-changing GET routes (`?mkdir`, `?delete`). The same dispatcher also lacks an `fs.Invisible` branch, so the endpoint stays responsive in `-I` stealth mode and reliably fingerprints an \"invisible\" goshs deployment with a single request.\n\n\n### Details\n`httpserver/handler.go:222-228` \u2014 the dispatcher gates `?redirect` only with `denyForTokenAccess` (which only blocks share-token callers). It does not check `fs.Invisible` and does not call `checkCSRF`:\n\n```go\nif _, ok := req.URL.Query()[\"redirect\"]; ok {\n if denyForTokenAccess(w, req) {\n return true\n }\n fs.handleRedirect(w, req)\n return true\n}\n```\n\n`httpserver/handler.go:753-787` \u2014 `handleRedirect`:\n\n```go\nfunc (fs *FileServer) handleRedirect(w http.ResponseWriter, req *http.Request) {\n q := req.URL.Query()\n\n target := q.Get(\"url\") // (1) no scheme/host validation\n if target == \"\" { /* 400 */ }\n\n status := http.StatusFound\n if s := q.Get(\"status\"); s != \"\" { // (2) only constrained to 3xx\n code, err := strconv.Atoi(s)\n if err != nil || code \u003c 300 || code \u003e 399 { /* 400 */ }\n status = code\n }\n\n for _, h := range q[\"header\"] { // (3) arbitrary header set\n parts := strings.SplitN(h, \": \", 2)\n if len(parts) != 2 || strings.TrimSpace(parts[0]) == \"\" { /* 400 */ }\n w.Header().Set(strings.TrimSpace(parts[0]), parts[1])\n }\n\n http.Redirect(w, req, target, status) // (4) attacker Location\n\n body := fs.emitCollabEvent(req, status)\n logger.LogRequest(req, status, fs.Verbose, fs.Webhook, body)\n}\n```\n\n`httpserver/server.go:85-100` \u2014 `BasicAuthMiddleware` is registered only when `fs.User != \"\" || fs.Pass != \"\"`; the default `goshs` invocation has neither, so `?redirect` is open to anyone on the network._Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer._\n\n### PoC\n[poc.zip](https://github.com/user-attachments/files/26673401/poc.zip)\nPlease extract the uploaded compressed file before proceeding\n\n1. docker build -t goshs-poc .\n2. sh poc.sh\n\n\u003cimg width=\"1379\" height=\"197\" alt=\"\u1109\u1173\u110f\u1173\u1105\u1175\u11ab\u1109\u1163\u11ba 2026-04-13 \u110b\u1169\u1112\u116e 8 04 20\" src=\"https://github.com/user-attachments/assets/a557846f-47c7-4640-9fc5-34aa099d1a57\" /\u003e\n\n\n### Impact\n- Cross-subdomain session fixation \u2014 `Set-Cookie: \u2026; Domain=.corp.com` lands a fixed session on every sibling app on the parent domain.\n- TLS downgrade \u2014 `Strict-Transport-Security: max-age=0` invalidates prior HSTS state for the origin, enabling MITM on subsequent visits.",
"id": "GHSA-7qx6-f23w-3w7f",
"modified": "2026-04-14T22:53:34Z",
"published": "2026-04-14T22:53:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-7qx6-f23w-3w7f"
},
{
"type": "PACKAGE",
"url": "https://github.com/patrickhener/goshs"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Unauthenticated Open Redirect, Arbitrary HTTP Response Header Injection, Missing CSRF, and Invisible-Mode Bypass in goshs `/?redirect` endpoint"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…