Critical 9.8 CVSS Flaws in goshs Exposed

Security researchers have unmasked three critical vulnerabilities in goshs, a popular high-performance replacement for Python’s SimpleHTTPServer. The flaws, all involving improper limitation of pathnames, allow unauthenticated attackers to write or delete files anywhere on a host’s filesystem, effectively turning a simple file-sharing tool into a remote access gateway.

The most severe issues, CVE-2026-35393 and CVE-2026-35392, both carry a CVSS score of 9.8. These vulnerabilities target the way goshs handles file uploads via POST and PUT requests.

While the developers implemented sanitization for filenames to strip out dangerous slashes, they completely neglected to sanitize the target directory derived from the URL path.

As the technical details reveal, “The handler uses req.URL.Path raw to build the save path. No filepath.Clean, no .. check, no webroot containment… The path is pure string concatenation with no validation”.

By crafting a URL like /../../target_dir/upload, an attacker can satisfy the server’s routing requirements while simultaneously escaping the intended webroot to write arbitrary files—such as web shells or configuration overrides—anywhere the service has permissions.

The third flaw, CVE-2026-35471, extends this lack of sanitization to the file deletion mechanism. Just as with the upload functions, the deleteFile() handler fails to validate that a deletion request stays within the authorized folder.

This allows an unauthenticated user to systematically delete critical system files or application data by simply sending a request with a traversed path. In default configurations, no flags or authentication are required to trigger this destructive behavior.

The goshs utility is often used by developers and sysadmins for quick file transfers because it supports features like HTTP/S, basic auth, and self-signed certificates. However, because these vulnerabilities affect the default configuration, any user running an unpatched version is immediately at risk.

The impact of “Unauthenticated arbitrary file write anywhere on the filesystem” cannot be overstated. It represents a complete loss of confidentiality, integrity, and availability for the host system.

The vulnerabilities affect all versions of goshs up to and including v2.0.0-beta.2. The development team has responded by releasing v2.0.0-beta.3, which implements critical path cleaning and validation logic.

Security Recommendations for Users:

1. Update Immediately: Transition to version 2.0.0-beta.3 or later to ensure all upload and delete paths are properly sanitized.
2. Use Basic Auth: While the flaws are exploitable unauthenticated in default mode, enabling HTTP Basic Auth can provide an additional layer of defense-in-depth.
3. Run as Non-Root: Always run file-serving utilities with the lowest possible OS privileges. This ensures that even if a path traversal occurs, the attacker cannot modify sensitive system directories like /etc/ or /bin/.