goshs: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)

The impact of this vulnerability is severe. An attacker can leverage the Path Traversal flaw to read sensitive files from the server's file system. This could include configuration files, source code, database credentials, or any other data stored on the system. Successful exploitation could lead to complete compromise of the server and its data. The lack of authentication requirements makes this vulnerability particularly dangerous, as any user can potentially exploit it. The vulnerability's location within the file deletion handler suggests an attacker could potentially gain access to files they shouldn't have permission to delete, leading to data loss or corruption if combined with other exploits.

Organizations running goshs in production environments, particularly those with exposed file sharing services, are at significant risk. Shared hosting environments where multiple users share the same goshs instance are especially vulnerable, as an attacker could potentially exploit the vulnerability to access files belonging to other users. Systems with legacy goshs configurations lacking proper access controls are also at increased risk.

• linux / server:

journalctl -u goshs | grep -i "path traversal"

• generic web:

curl -I http://your-goshs-server/delete?delete=../../../../etc/passwd

Check the response headers and body for any signs of file access or errors indicating path traversal. • generic web:

 grep -r "filepath.FromSlash" /path/to/goshs/source/code

Look for instances of filepath.FromSlash that might be vulnerable to path traversal.

1. 2026-04-03Disclosure

   disclosure

1. 予約済み2026-04-02
2. 公開日2026-04-03
3. 更新日2026-04-07
4. EPSS 更新日2026-04-14

The primary mitigation for CVE-2026-35471 is to immediately upgrade to version 1.1.5-0.20260401172448-237f3af891a9 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict access to the /delete endpoint using a web application firewall (WAF) or proxy server. Configure the WAF to block requests containing .. in the path. Carefully review and restrict file system permissions to minimize the potential impact of a successful attack. Monitor access logs for suspicious activity, particularly requests to the /delete endpoint with unusual paths.