CVE-2026-35471 Overview
CVE-2026-35471 is a critical path traversal vulnerability in goshs, a SimpleHTTPServer written in Go. The vulnerability exists in the tdeleteFile() function, which fails to return after performing a path traversal check. This logic flaw allows attackers to bypass security controls and potentially delete arbitrary files on the target system.
Critical Impact
Unauthenticated attackers can exploit this path traversal flaw to delete arbitrary files on systems running vulnerable versions of goshs, potentially leading to complete system compromise or denial of service.
Affected Products
- goshs versions prior to 2.0.0-beta.3
- goshs 2.0.0-beta1
- goshs 2.0.0-beta2
Discovery Timeline
- 2026-04-06 - CVE-2026-35471 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2026-35471
Vulnerability Analysis
This vulnerability stems from a missing return statement in the tdeleteFile() function after performing path traversal validation. When the function detects a path traversal attempt, it correctly identifies the malicious input but fails to halt execution, allowing the subsequent file deletion logic to proceed with the attacker-controlled path.
The flaw enables network-based attacks without requiring authentication or user interaction. An attacker can exploit this weakness to traverse directories outside the intended web root and delete arbitrary files accessible to the goshs process. Given that goshs operates as a file server, successful exploitation could result in deletion of critical system files, configuration data, or sensitive user content.
Root Cause
The root cause is a control flow defect in the tdeleteFile() function. After the path traversal check identifies a malicious path containing sequences like ../, the function logs or flags the violation but does not include a return statement to exit the function. This allows code execution to continue past the security check, ultimately processing the file deletion request with the unsanitized path.
This is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as Path Traversal.
Attack Vector
The attack is network-based and can be executed remotely without any authentication. An attacker sends a specially crafted HTTP request to the goshs server containing path traversal sequences (e.g., ../../etc/passwd) in the file deletion endpoint. Due to the missing return statement, the server processes the malicious path and attempts to delete the specified file.
The vulnerability enables attackers to target any file accessible to the goshs process, limited only by the process's filesystem permissions. This could include application configuration files, log files, or even critical system files if the server runs with elevated privileges.
Detection Methods for CVE-2026-35471
Indicators of Compromise
- HTTP requests to the goshs server containing path traversal sequences (../, ..%2f, ..%5c) in file deletion endpoints
- Unexpected file deletion events in directories outside the goshs web root
- Web server logs showing requests with encoded or unencoded directory traversal patterns
- Missing critical files or configuration data on systems running goshs
Detection Strategies
- Deploy web application firewall (WAF) rules to detect and block path traversal patterns in incoming requests
- Monitor HTTP request logs for directory traversal sequences targeting file manipulation endpoints
- Implement file integrity monitoring (FIM) on critical system directories to detect unauthorized deletions
- Configure SentinelOne agents to monitor for suspicious file deletion patterns originating from the goshs process
Monitoring Recommendations
- Enable verbose logging on goshs servers and centralize logs for security analysis
- Set up alerts for HTTP requests containing path traversal indicators such as ../ or URL-encoded variants
- Monitor filesystem events for deletions outside the expected goshs working directory
- Review SentinelOne Deep Visibility telemetry for anomalous file operations associated with the goshs process
How to Mitigate CVE-2026-35471
Immediate Actions Required
- Upgrade goshs to version 2.0.0-beta.3 or later immediately
- If immediate upgrade is not possible, consider temporarily disabling the file deletion functionality
- Review web server logs for any evidence of exploitation attempts
- Audit file integrity on systems running vulnerable goshs versions
Patch Information
The vulnerability is fixed in goshs version 2.0.0-beta.3. The patch adds the missing return statement to the tdeleteFile() function, ensuring that execution halts when a path traversal attempt is detected. Organizations should update to this version or later as soon as possible.
For additional details, refer to the GitHub Security Advisory for GHSA-6qcc-6q27-whp8.
Workarounds
- Place a reverse proxy with path normalization and traversal blocking in front of goshs
- Restrict network access to the goshs server using firewall rules, limiting exposure to trusted networks only
- Run goshs with minimal filesystem permissions to reduce the impact of potential exploitation
- Disable or block access to file deletion endpoints if the functionality is not required
# Example: Restrict goshs to a specific directory with minimal permissions
# Create a dedicated user with limited access
useradd -r -s /bin/false goshs-user
# Set restrictive permissions on the web root
chown -R goshs-user:goshs-user /var/www/goshs
chmod -R 750 /var/www/goshs
# Run goshs as the restricted user
su -s /bin/bash -c "goshs -d /var/www/goshs" goshs-user
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
