Publish GHSA-rhf7-wvw3-vjvm

advisory-database[bot] · advisory-database[bot] · commit dbaef2f358b6 · 2026-04-23T14:30:15.000Z
diff --git a/advisories/github-reviewed/2026/04/GHSA-rhf7-wvw3-vjvm/GHSA-rhf7-wvw3-vjvm.json b/advisories/github-reviewed/2026/04/GHSA-rhf7-wvw3-vjvm/GHSA-rhf7-wvw3-vjvm.json
@@ -0,0 +1,74 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-rhf7-wvw3-vjvm",
+  "modified": "2026-04-23T14:28:14Z",
+  "published": "2026-04-23T14:28:14Z",
+  "aliases": [],
+  "summary": "goshs has Cross-Origin Arbitrary File Write via Missing CSRF on PUT and Wildcard CORS",
+  "details": "### Summary\nThe PUT upload handler (`httpserver/updown.go`) lacks the CSRF token validation that was added to the POST upload handler during the GHSA-jrq5-hg6x-j6g3 fix. Combined with the unconditional `Access-Control-Allow-Origin: *` on the OPTIONS preflight handler (`httpserver/server.go`), any website can write arbitrary files to a goshs instance through the victim's browser — bypassing network isolation (e.g. localhost, internal network).\n\n### Details\n**Root Cause 1 — Missing CSRF on PUT** (`httpserver/updown.go:19`)\n\nWhen GHSA-jrq5-hg6x-j6g3 was fixed (commit `e3c3d37`), `checkCSRF()` was added to the POST `upload()` function (line 78) but not to the PUT `put()` function directly above it in the same file. This means PUT requests are accepted without any CSRF token.\n\n```go\n// POST — protected \nfunc (fs *FileServer) upload(w http.ResponseWriter, req *http.Request) {\n    if !fs.checkCSRF(w, req) { return }\n    // ...\n}\n\n// PUT — unprotected \nfunc (fs *FileServer) put(w http.ResponseWriter, req *http.Request) {\n    // No checkCSRF call\n    // ...\n}\n```\n\n**Root Cause 2 — Wildcard CORS** (`httpserver/server.go:126`)\n\nThe OPTIONS handler unconditionally returns permissive CORS headers:\n\n```go\nw.Header().Set(\"Access-Control-Allow-Origin\", \"*\")\nw.Header().Set(\"Access-Control-Allow-Methods\", \"POST, PUT, OPTIONS\")\nw.Header().Set(\"Access-Control-Allow-Headers\", \"Content-Type, Authorization\")\n```\n\nThis allows any website's JavaScript to pass the browser's CORS preflight check and send PUT requests to the goshs server.\n\n### PoC\n[poc.zip](https://github.com/user-attachments/files/26828829/poc.zip)\n\nPlease extract the uploaded compressed file before proceeding\n\n1. bash poc.sh\n<img width=\"543\" height=\"376\" alt=\"스크린샷 2026-04-17 오후 11 08 13\" src=\"https://github.com/user-attachments/assets/a695cbc8-133e-4e80-a2f5-9fe9fd36b569\" />\n\n\n\n\n### Impact\n- Arbitrary file write to the goshs webroot from any website the victim visits\n- File overwrite — existing files can be silently replaced",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/patrickhener/goshs/v2"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.0.2"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/patrickhener/goshs"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "1.1.4"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-rhf7-wvw3-vjvm"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/patrickhener/goshs"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-352"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-23T14:28:14Z",
+    "nvd_published_at": null
+  }
+}
