CVE-2025-70950 Overview
CVE-2025-70950 is a directory traversal vulnerability in gohttp at commit 34ea51. The flaw allows unauthenticated remote attackers to read files outside the intended web root by supplying a crafted HTTP request. The weakness is categorized under CWE-22: Improper Limitation of a Pathname to a Restricted Directory. gohttp is a lightweight HTTP file server written in Go and maintained on GitHub by user itang. Because the server processes path components without sufficient sanitization, attackers can traverse parent directories using sequences such as ../ to access sensitive files on the host.
Critical Impact
Unauthenticated attackers can read arbitrary files accessible to the gohttp process, including configuration files, credentials, and source code.
Affected Products
- gohttp at commit 34ea51 (maintained at github.com/itang/gohttp)
- Deployments serving content with the vulnerable commit
- Downstream forks or builds incorporating the unpatched code
Discovery Timeline
- 2026-05-19 - CVE-2025-70950 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2025-70950
Vulnerability Analysis
The vulnerability resides in how gohttp resolves request paths to filesystem locations. When the server receives an HTTP request, it concatenates the user-supplied path with the configured document root without canonicalizing the result or rejecting parent-directory references. An attacker can submit a request containing ../ segments or encoded variants to break out of the served directory. The server then returns the contents of files located elsewhere on the host filesystem. This breaks the file-serving boundary that web operators expect to be enforced.
Root Cause
The root cause is improper path normalization before file access [CWE-22]. The handler trusts the request URI as a relative path and passes it to file I/O without verifying that the resolved absolute path remains within the document root. Encoded traversal sequences such as %2e%2e%2f and mixed separators may also bypass naive string filtering. Go's filepath.Clean or http.ServeFile enforced with a chrooted root would prevent this class of issue, but the vulnerable code path does not apply such controls.
Attack Vector
Exploitation requires only network reachability to the gohttp listener. No authentication, user interaction, or elevated privileges are needed. An attacker sends a single HTTP GET request whose path contains directory traversal sequences targeting files such as /etc/passwd, application configuration files, or private keys. Public proof-of-concept material is available at the GitHub Gist PoC and discussed in the upstream issue tracker.
No verified exploitation code is reproduced here. Refer to the linked references for the published proof-of-concept details.
Detection Methods for CVE-2025-70950
Indicators of Compromise
- HTTP request logs containing ../, ..\, or URL-encoded equivalents such as %2e%2e%2f and %2e%2e/ in the request URI.
- Successful 200 OK responses from gohttp for paths that resolve outside the configured document root.
- Outbound retrieval of sensitive files (for example /etc/passwd, .env, id_rsa) reflected in server access logs.
Detection Strategies
- Inspect web access logs for traversal patterns and decode percent-encoded sequences before pattern matching.
- Deploy a reverse proxy or web application firewall rule that blocks request paths containing parent-directory references.
- Correlate file-read syscalls from the gohttp process with the document-root path to identify out-of-bounds reads.
Monitoring Recommendations
- Forward gohttp access and error logs to a centralized SIEM for retention and alerting on traversal signatures.
- Alert on unusually large or unexpected file responses served by gohttp, particularly for non-static paths.
- Track network connections to gohttp listeners and flag scanning behavior from single sources issuing many ../ requests.
How to Mitigate CVE-2025-70950
Immediate Actions Required
- Restrict network exposure of gohttp to trusted networks or take it offline until a patched build is deployed.
- Run gohttp as an unprivileged user with read access limited to the intended document root.
- Place a hardened reverse proxy in front of gohttp to normalize and validate request paths.
Patch Information
No official fixed version is referenced in the NVD entry. Operators should monitor the upstream repository and the associated issue for a patched commit. Until a fix is published, rebuild from a fork that enforces filepath.Clean and validates that resolved paths remain within the configured root.
Workarounds
- Front gohttp with nginx or caddy configured to reject requests whose normalized path escapes the document root.
- Apply a WAF rule blocking request URIs that match (\.\./|\.\.\\|%2e%2e[/%5c]) after URL decoding.
- Containerize gohttp with a read-only filesystem mount that exposes only the directory intended to be served.
# Example nginx rule to block traversal attempts before reaching gohttp
location / {
if ($request_uri ~* "(\.\./|\.\.\\|%2e%2e%2f|%2e%2e/)") {
return 400;
}
proxy_pass http://127.0.0.1:8080;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

