GHSA-xjvp-7243-rg9h: Critical Path Traversal in Wish SCP Middleware Allows Arbitrary File Read/Write
Vulnerability ID: GHSA-XJVP-7243-RG9H
CVSS Score: 9.6
Published: 2026-04-18
A critical path traversal vulnerability in the SCP middleware of the Wish Go library (GHSA-xjvp-7243-rg9h) permits attackers to read and write arbitrary files outside the configured root directory. The flaw originates from insufficient path sanitization in the fileSystemHandler.prefixed() method, enabling severe impacts including remote code execution if critical system files are overwritten. Exploitation requires authentication unless the target server explicitly runs without authentication protocols.
TL;DR
A path traversal flaw in the Wish SCP middleware allows arbitrary file read and write operations outside the designated root directory via crafted SCP requests.
⚠️ Exploit Status: POC
Technical Details
- Advisory ID: GHSA-xjvp-7243-rg9h
- CVSS Score: 9.6
- Attack Vector: Network
- CWE ID: CWE-22
- Impact: Arbitrary File Read/Write
- Exploit Status: Proof-of-Concept Available
Affected Systems
- Custom SSH Servers built with charm.land/wish/v2 <= 2.0.0
- Custom SSH Servers built with github.com/charmbracelet/wish <= 1.4.7
-
charm.land/wish/v2: <= 2.0.0 (Fixed in:
2.0.1) -
github.com/charmbracelet/wish: <= 1.4.7 (Fixed in:
None)
Mitigation Strategies
- Dependency Upgrade
- Service Disablement
- Defense-in-Depth Isolation
Remediation Steps:
- Update go.mod to use charm.land/wish/v2 v2.0.1 or higher.
- Execute
go mod tidyto download the patched dependencies. - Recompile the Go application.
- Restart the custom SSH server service.
References
Read the full report for GHSA-XJVP-7243-RG9H on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)