goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, the POST multipart upload directory not sanitized. This vulnerability is fixed in 2.0.0-beta.3.
When handling a POST request with multipart data (file upload), the application does not sanitize the target directory path. An attacker can submit a specially crafted request containing path traversal sequences (e.g., '../'), allowing the file to be written to any location in the file system accessible to the server process. The attack does not require authentication or user interaction.
An attacker can write arbitrary files to unauthorized locations in the file system, potentially leading to data confidentiality and integrity violations, and in extreme cases — to code execution or system compromise (e.g., by overwriting configuration files or startup scripts).
Goshs should be updated to version 2.0.0-beta.3 or newer, where the vulnerability has been fixed. Until the update is applied, it is recommended to restrict network access to the Goshs instance to trusted hosts only.
Goshs in versions earlier than 2.0.0-beta.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HGoshs
APPGoshs2.0.0< 2.0.0
Related vulnerabilities
Pominięcie uwierzytelnienia SFTP w serwerze goshs (auth bypass)
Goshs: wyciek tokenu GITHUB_TOKEN przez artefakty workflow (ArtiPACKED)
Authorization bypass w goshs — ominięcie ACL bez uwierzytelnienia
Path traversal w Goshs — brak return po walidacji ścieżki w deleteFile()
Path traversal w goshs — brak sanityzacji ścieżki przy PUT upload