CVE-2026-35392 Overview
CVE-2026-35392 is a critical path traversal vulnerability affecting goshs, a SimpleHTTPServer implementation written in Go. The vulnerability exists in the PUT upload functionality within httpserver/updown.go, where insufficient path sanitization allows attackers to write files to arbitrary locations on the server's file system. This flaw enables remote attackers to potentially overwrite critical system files or deploy malicious payloads outside the intended upload directory.
Critical Impact
Remote attackers can exploit the lack of path sanitization in PUT upload requests to write arbitrary files anywhere on the server, potentially leading to complete system compromise, arbitrary code execution, or data destruction.
Affected Products
- goshs versions prior to 2.0.0-beta.3
- goshs 2.0.0-beta1
- goshs 2.0.0-beta2
Discovery Timeline
- 2026-04-06 - CVE-2026-35392 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2026-35392
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as path traversal or directory traversal. The flaw resides in the file upload handling code within httpserver/updown.go, where user-supplied path components in PUT requests are not properly validated or sanitized before being used to construct file system paths.
When processing PUT upload requests, the goshs server fails to filter or normalize path sequences such as ../ (dot-dot-slash) that allow navigation outside the intended upload directory. This enables an attacker to craft malicious requests that traverse the directory structure and write files to arbitrary locations accessible by the server process.
The vulnerability can be exploited remotely over the network without requiring any authentication or user interaction, making it particularly dangerous for exposed goshs instances.
Root Cause
The root cause is the absence of path canonicalization and validation in the PUT upload handler. The httpserver/updown.go module directly uses user-controlled path input without stripping or rejecting directory traversal sequences. Proper security controls would include normalizing the path, resolving it to an absolute path, and verifying that the final destination remains within the designated upload directory boundary.
Attack Vector
An attacker can exploit this vulnerability by sending a specially crafted PUT request to a vulnerable goshs server. By including path traversal sequences (e.g., ../) in the upload path, the attacker can escape the intended upload directory and write files to arbitrary locations on the server's file system.
The attack can be executed remotely over the network without any authentication requirements or user interaction. Successful exploitation could allow an attacker to overwrite configuration files, inject malicious scripts into web-accessible directories, or plant backdoor files for persistent access. In scenarios where the goshs server runs with elevated privileges, this could lead to complete system compromise.
Detection Methods for CVE-2026-35392
Indicators of Compromise
- Unexpected files appearing outside the designated goshs upload directory
- Web server access logs containing PUT requests with path traversal sequences such as ../ or URL-encoded variants (%2e%2e%2f)
- Modified system or configuration files with timestamps corresponding to goshs server activity
- Presence of suspicious or unknown files in sensitive directories like /etc, /var, or application directories
Detection Strategies
- Monitor HTTP access logs for PUT requests containing directory traversal patterns (../, ..%2f, %2e%2e/, etc.)
- Implement file integrity monitoring on critical system directories to detect unauthorized modifications
- Deploy web application firewalls (WAF) with rules to block path traversal attempts in request paths
- Use intrusion detection systems to alert on anomalous file write operations by the goshs process
Monitoring Recommendations
- Enable detailed logging for the goshs server to capture all PUT request paths and source IPs
- Configure SIEM rules to correlate PUT requests with subsequent file system changes outside approved directories
- Implement real-time alerting for any file creation or modification in directories that should be read-only or restricted
How to Mitigate CVE-2026-35392
Immediate Actions Required
- Upgrade goshs to version 2.0.0-beta.3 or later immediately
- If immediate upgrade is not possible, disable PUT upload functionality or restrict network access to the goshs server
- Review file system for any unauthorized files that may have been uploaded through exploitation
- Restrict the goshs server's file system permissions to limit the directories it can write to
Patch Information
The vulnerability is fixed in goshs version 2.0.0-beta.3. Users should update to this version or any subsequent release. For detailed patch information and the security advisory, refer to the GitHub Security Advisory GHSA-g8mv-vp7j-qp64.
Workarounds
- Disable PUT upload functionality in goshs configuration until the patch can be applied
- Place goshs behind a reverse proxy that filters requests containing path traversal patterns
- Run goshs in a containerized or sandboxed environment with strict file system access controls
- Use network segmentation to limit access to the goshs server to trusted networks only
# Example: Run goshs with restricted directory permissions
# Create a dedicated upload directory with limited scope
mkdir -p /opt/goshs/uploads
chown goshs-user:goshs-user /opt/goshs/uploads
chmod 750 /opt/goshs/uploads
# Run goshs as unprivileged user to limit impact
su - goshs-user -c "goshs -d /opt/goshs/uploads"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
