DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-RHF7-WVW3-VJVM: GHSA-RHF7-WVW3-VJVM: Cross-Origin Arbitrary File Write via Missing CSRF Protection in goshs

#security #cve #cybersecurity #ghsa

GHSA-RHF7-WVW3-VJVM: Cross-Origin Arbitrary File Write via Missing CSRF Protection in goshs

Vulnerability ID: GHSA-RHF7-WVW3-VJVM
CVSS Score: 8.8
Published: 2026-04-23

The goshs application, a single-binary file server written in Go, suffers from a Cross-Origin Arbitrary File Write vulnerability. The flaw exists due to an incomplete security patch that neglected to enforce Cross-Site Request Forgery (CSRF) protections on the HTTP PUT method. When combined with an overly permissive Cross-Origin Resource Sharing (CORS) configuration that unconditionally reflects Origin headers, an attacker can coerce a victim's browser into writing arbitrary files to the server.

TL;DR

goshs < 2.0.3 allows unauthenticated attackers to write arbitrary files via a victim's browser by combining a missing CSRF token check on PUT requests with a wildcard CORS policy.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-352 / CWE-942
  • Attack Vector: Network (Requires Victim Interaction)
  • Impact: Arbitrary File Write
  • Exploit Status: PoC Available
  • Authentication: None Required
  • Component: httpserver/updown.go (putHandler)

Affected Systems

  • patrickhener/goshs versions prior to 2.0.3
  • goshs: < 2.0.3 (Fixed in: 2.0.3)

Mitigation Strategies

  • Upgrade goshs to version 2.0.3 or higher.
  • Bind local development servers strictly to the loopback interface (127.0.0.1).
  • Execute file servers within tightly scoped, non-sensitive directories.
  • Implement strict egress filtering to prevent internal developer workstations from communicating with untrusted external domains.

Remediation Steps:

  1. Identify all hosts running patrickhener/goshs binaries within the environment.
  2. Download the updated goshs v2.0.3 binary from the official repository.
  3. Terminate running instances of vulnerable goshs versions.
  4. Replace the binary with the updated version and restart necessary services.

References

Read the full report for GHSA-RHF7-WVW3-VJVM on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)