DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-MXG3-432P-MR72: GHSA-MXG3-432P-MR72: SSH Host Key Verification Disabled in goshs

#security #cve #cybersecurity #ghsa

GHSA-MXG3-432P-MR72: SSH Host Key Verification Disabled in goshs

Vulnerability ID: GHSA-MXG3-432P-MR72
CVSS Score: 8.1
Published: 2026-05-15

A critical vulnerability in the Go-based file server goshs allows transparent Man-in-the-Middle (MITM) attacks during SSH tunnel establishment. By utilizing ssh.InsecureIgnoreHostKey() as the HostKeyCallback, versions prior to 2.0.7 fail to validate remote server identity.

TL;DR

goshs versions before 2.0.7 disable SSH host key verification when establishing remote tunnels. This flaw allows an attacker with a privileged network position to intercept the SSH connection and access the underlying unencrypted HTTP traffic.

Technical Details

  • CWE ID: CWE-295 (Improper Certificate Validation)
  • Attack Vector: Network (Adjacent/Intercepting)
  • CVSS v3.1: 8.1 (Estimated)
  • Impact: High (Confidentiality & Integrity via MITM)
  • Exploit Status: None (Unweaponized)
  • KEV Status: Not Listed

Affected Systems

  • goshs (versions < 2.0.7)
  • goshs: < 2.0.7 (Fixed in: 2.0.7)

Code Analysis

Commit: 8f409cb

Fix insecure SSH host key verification via Trust-On-First-Use implementation

Mitigation Strategies

  • Upgrade goshs to version 2.0.7 or later to ensure the Trust-On-First-Use (TOFU) mechanism is active.
  • Manually verify the SSH host key fingerprint of the tunnel provider during the first connection attempt.
  • Implement network monitoring to detect unexpected changes in SSH routing paths or anomalous intermediate hops.

Remediation Steps:

  1. Stop any running instances of goshs.
  2. Download the v2.0.7 binary from the official GitHub releases page or rebuild the application from the tagged source.
  3. Start the updated goshs binary with the --tunnel flag.
  4. When prompted or during initial setup, compare the displayed server fingerprint against the public documentation provided by the tunnel service (e.g., localhost.run).
  5. Instruct users on how to properly handle HostKeyMismatchError alerts, explicitly forbidding the automated deletion of the known_hosts file without verification.

References

Read the full report for GHSA-MXG3-432P-MR72 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)