goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, tdeleteFile() missing return after path traversal check. This vulnerability is fixed in 2.0.0-beta.3.
The deleteFile() function performs path validation checks for path traversal, but does not terminate code execution after detecting an invalid path — there is a missing return statement. As a result, further processing of the request is continued despite negative validation, allowing an attacker to manipulate the path (e.g., using '../' sequences) to escape the server's working directory and operate on arbitrary system files.
A remote, unauthenticated attacker can read, modify, or delete any files accessible to the server process, leading to violations of data confidentiality, integrity, and availability.
Update Goshs to version 2.0.0-beta.3 or later, in which the vulnerability has been fixed. Details are available in the project repository and in the GHSA-6qcc-6q27-whp8 security advisory.
Goshs (github.com/patrickhener/goshs) in versions prior to 2.0.0-beta.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HGoshs
APPGoshs2.0.0< 2.0.0
Related vulnerabilities
Pominięcie uwierzytelnienia SFTP w serwerze goshs (auth bypass)
Goshs: wyciek tokenu GITHUB_TOKEN przez artefakty workflow (ArtiPACKED)
Authorization bypass w goshs — ominięcie ACL bez uwierzytelnienia
Path traversal w Goshs — brak sanityzacji katalogu przy uploadzie plików
Path traversal w goshs — brak sanityzacji ścieżki przy PUT upload