Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
Lifecycle Timeline
6DescriptionGitHub Advisory
goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. This vulnerability is fixed in 2.0.0-beta.4.
AnalysisAI
Path traversal in patrickhener goshs SFTP rename operation enables authenticated attackers to write files outside the configured root directory. Versions 1.0.7 through 2.0.0-beta.3 fail to sanitize destination paths in SFTP rename commands, allowing low-privileged users to overwrite arbitrary filesystem locations with network access. High integrity impact with scope change indicates potential host compromise. No public exploit identified at time of analysis.
Technical ContextAI
CWE-1314 path traversal via incomplete input sanitization. The SFTP rename command implementation applies path normalization exclusively to source arguments while passing destination paths unchecked, enabling directory traversal sequences (../) to escape the chroot-style containment. CVSS scope change reflects potential impact beyond the vulnerable component's security boundary.
RemediationAI
Vendor-released patch: upgrade to goshs version 2.0.0-beta.4 or later, which implements destination path sanitization in SFTP rename operations. The fix is implemented in commit 141c188ce270ffbec087844a50e5e695b7da7744. If immediate upgrade is infeasible, disable SFTP functionality or restrict SFTP access to fully trusted users until patching. Verify no unauthorized files exist outside the intended root directory post-remediation. Full advisory available at https://github.com/patrickhener/goshs/security/advisories/GHSA-2943-crp8-38xx and release notes at https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.4. EPSS scoring indicates low observed exploitation activity.
Same technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21589
GHSA-2943-crp8-38xx