Description
An issue in gohttp commit 34ea51 allows attackers to execute a directory traversal via supplying a crafted request.
Published: 2026-05-19
Score: 7.3 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability involves a directory traversal flaw that can be triggered by supplying a crafted HTTP request. The flaw allows an attacker to retrieve files outside the intended web root, potentially exposing sensitive configuration data or other secrets stored on the server. Because the attacker can read arbitrary files, there is a risk of information leakage that may facilitate further attacks such as privilege escalation or data exfiltration.

Affected Systems

The affected product is the Go HTTP server implementation (gohttp) at commit 34ea51. No version ranges or vendor products are listed, so any deployment using this exact code commit is potentially impacted.

Risk and Exploitability

The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, indicating no confirmed exploitation in the wild to date. The attack vector is inferred to be remote over the network, as the flaw is triggered via an HTTP request. The CVSS score of 7.3 indicates a medium to high severity, highlighting the potential for significant impact if the vulnerability is exploited.

Generated by OpenCVE AI on May 19, 2026 at 16:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for an updated release of gohttp that removes the vulnerable commit 34ea51 and upgrade immediately
  • If no patch is available, restrict file‑serving directories or apply path canonicalization to prevent access to parent directories
  • Implement web‑application firewall rules or equivalent input validation to block traversal patterns such as ".." or encoded sequences

Generated by OpenCVE AI on May 19, 2026 at 16:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 16:00:00 +0000

Type Values Removed Values Added
Title Directory Traversal in gohttp Enabling Arbitrary File Access

Tue, 19 May 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-22
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description An issue in gohttp commit 34ea51 allows attackers to execute a directory traversal via supplying a crafted request.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-19T14:37:33.811Z

Reserved: 2026-01-09T00:00:00.000Z

Link: CVE-2025-70950

cve-icon Vulnrichment

Updated: 2026-05-19T14:37:28.909Z

cve-icon NVD

Status : Received

Published: 2026-05-19T15:16:27.180

Modified: 2026-05-19T16:16:19.317

Link: CVE-2025-70950

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T17:00:12Z

Weaknesses