GHSA-RHF7-WVW3-VJVM: GHSA-RHF7-WVW3-VJVM: Cross-Origin Arbitrary File Write via Missing CSRF Protection in goshs

Source: Dev.to

Vulnerability Overview

• Vulnerability ID: GHSA-RHF7-WVW3-VJVM
• CVSS Score: 8.8
• Published: 2026-04-23
• CWE IDs: CWE‑352 (Cross‑Site Request Forgery) / CWE‑942 (Improperly Controlled Modification of File System)
• Attack Vector: Network (requires victim interaction)
• Impact: Arbitrary File Write
• Exploit Status: Proof‑of‑Concept available
• Authentication Required: None

The goshs application (a single‑binary file server written in Go) suffers from a cross‑origin arbitrary file write vulnerability. An incomplete security patch failed to enforce CSRF protection on the HTTP PUT method. Coupled with an overly permissive CORS configuration that reflects any Origin header, an attacker can trick a victim’s browser into writing arbitrary files to the server.

Affected Component

• File: httpserver/updown.go (function putHandler)
• Package: patrickhener/goshs
• Versions: All releases prior to 2.0.3

Impact and Exploitability

• Unauthenticated attackers can cause a victim’s browser to issue a crafted PUT request, bypassing CSRF checks.
• The server’s wildcard CORS policy allows the malicious request from any origin.
• Result: Arbitrary files can be written to the server’s filesystem, potentially leading to remote code execution or data corruption.

Remediation Steps

1. Identify all hosts running patrickhener/goshs binaries.
2. Upgrade to goshs v2.0.3 or later (download from the official repository).
3. Restart the service with the updated binary.
4. Restrict development servers to bind only on the loopback interface (127.0.0.1).
5. Scope file server directories to non‑sensitive locations.
6. Implement strict egress filtering to block internal workstations from contacting untrusted external domains.

References

• goshs GitHub Repository
• GHSA‑RHF7‑WVW3‑VJVM Security Advisory (full report with diagrams and exploit analysis)