goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, PUT upload in httpserver/updown.go has no path sanitization. This vulnerability is fixed in 2.0.0-beta.3.
The vulnerability is located in the httpserver/updown.go file responsible for handling PUT requests. When uploading a file, the server does not verify or sanitize the target path provided by the client. An attacker can craft an HTTP PUT request containing path traversal sequences (e.g., '../../../'), which allow writing a file outside the server's designated working directory.
An attacker can write arbitrary files to any location in the file system accessible to the goshs process, which may lead to violations of confidentiality, integrity and availability of the system — including malicious code execution through overwriting critical configuration or binary files.
Goshs should be updated to version 2.0.0-beta.3 or newer, in which the vulnerability has been fixed. Until the update is applied, it is recommended to restrict network access to the goshs instance only to trusted hosts and disable PUT upload functionality if not required.
Goshs in all versions before 2.0.0-beta.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HGoshs
APPGoshs2.0.0< 2.0.0
Related vulnerabilities
Pominięcie uwierzytelnienia SFTP w serwerze goshs (auth bypass)
Goshs: wyciek tokenu GITHUB_TOKEN przez artefakty workflow (ArtiPACKED)
Authorization bypass w goshs — ominięcie ACL bez uwierzytelnienia
Path traversal w Goshs — brak return po walidacji ścieżki w deleteFile()
Path traversal w Goshs — brak sanityzacji katalogu przy uploadzie plików