goshs, a lightweight HTTP server written in Go, contains an ArtiPACKED vulnerability in releases before 2.0.0‑beta.6 that can cause the server to embed the environment variable GITHUB_TOKEN into data written to workflow artifacts. If a malicious or compromised GitHub Actions workflow triggers artifact creation, the token can be downloaded by the attacker, granting authenticated access to the repository and related services. The CVSS score of 9.1 reflects a high likelihood of serious impact because the exposed credential can be used for extensive malicious actions. The likely attack vector is a workflow that writes the token to an artifact, even though the token is not present in the repository source code.

The vulnerability affects the SimpleHTTPServer package maintained by Patrick Hener, impacting all releases prior to 2.0.0‑beta.6. Administrators who run goshs in CI/CD contexts or expose the server to untrusted inputs should note that unpatched instances are vulnerable to credential leakage via GitHub Actions artifacts.

The CVSS base score of 9.1 indicates high severity, and although the EPSS score is not available, the vulnerability is not yet listed in the CISA KEV catalog. However, the flaw is trivial to exploit when a workflow generates artifacts, and a compromised GITHUB_TOKEN can enable a wide range of malicious actions. Given its high score and potential impact, this threat should be treated with urgency. The absence of an EPSS score does not reduce the likelihood that an attacker could abuse the flaw in environments where workflow artifact uploads are automated.