Description
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP root escape caused by prefix-based path validation. An authenticated SFTP user can read from and write to filesystem paths outside the configured SFTP root, which breaks the intended jail boundary and can expose or modify unrelated server files. The SFTP subsystem routes requests through sftpserver/sftpserver.go into DefaultHandler.GetHandler() in sftpserver/handler.go, which forwards file operations into readFile, writeFile, listFile, and cmdFile. All of those sinks rely on sanitizePath() in sftpserver/helper.go. helper.go uses a raw string-prefix comparison, not a directory-boundary check. Because of that, if the configured root is /tmp/goshsroot, then a sibling path such as /tmp/goshsroot_evil/secret.txt incorrectly passes validation since it starts with the same byte prefix. This vulnerability is fixed in 2.0.0-beta.6.
Published: 2026-04-21
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Directory traversal allowing read/write outside the configured SFTP root
Action: Immediate Patch
AI Analysis

Impact

An authenticated user of the goshs SFTP service can read and write arbitrary files on the server that lie outside the intended – or "jail" – root directory. The flaw arises from prefix-based path validation that accepts any file path that begins with the configured root, even when the path refers to a sibling directory that shares the prefix. This permits disclosure of or modification to files that are unrelated to the SFTP service.

Affected Systems

The vulnerability affects the goshs project maintained by patrickhener. Any installation of goshs earlier than version 2.0.0‑beta.6 is vulnerable. The affected component is the SFTP subsystem implemented in sftpserver/sftpserver.go and its handler chain that relies on a helper function for path sanitization.

Risk and Exploitability

The issue carries a CVSS score of 8.7, indicating high severity. The EPSS score is not reported, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires valid SFTP credentials; the mistake in path handling means an attacker can bypass the jail boundary and access privileged files, potentially leading to data leakage or persistence if the server files contain sensitive data.

Generated by OpenCVE AI on April 22, 2026 at 06:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to version 2.0.0‑beta.6 or newer to replace the insecure path sanitization logic.
  • Disable or restrict SFTP access for users that do not need it, limiting the attack surface for authenticated attackers.
  • Verify that the SFTP root path is correctly set and that no sibling directories share the same prefix, and monitor file system changes for unauthorized access.

Generated by OpenCVE AI on April 22, 2026 at 06:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5h6h-7rc9-3824 SFTP root escape via prefix-based path validation in goshs
History

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Patrickhener
Patrickhener goshs
Vendors & Products Patrickhener
Patrickhener goshs

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP root escape caused by prefix-based path validation. An authenticated SFTP user can read from and write to filesystem paths outside the configured SFTP root, which breaks the intended jail boundary and can expose or modify unrelated server files. The SFTP subsystem routes requests through sftpserver/sftpserver.go into DefaultHandler.GetHandler() in sftpserver/handler.go, which forwards file operations into readFile, writeFile, listFile, and cmdFile. All of those sinks rely on sanitizePath() in sftpserver/helper.go. helper.go uses a raw string-prefix comparison, not a directory-boundary check. Because of that, if the configured root is /tmp/goshsroot, then a sibling path such as /tmp/goshsroot_evil/secret.txt incorrectly passes validation since it starts with the same byte prefix. This vulnerability is fixed in 2.0.0-beta.6.
Title SFTP root escape via prefix-based path validation in goshs
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Patrickhener Goshs
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-22T13:29:26.188Z

Reserved: 2026-04-15T15:57:41.718Z

Link: CVE-2026-40876

cve-icon Vulnrichment

Updated: 2026-04-22T13:29:21.661Z

cve-icon NVD

Status : Received

Published: 2026-04-21T20:17:01.263

Modified: 2026-04-22T14:17:01.877

Link: CVE-2026-40876

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:45:28Z

Weaknesses