Listen to this Post
How the mentioned CVE works:
The vulnerability exists in the SFTP rename command implementation. The function `cmdFile` sanitizes only the source path using `sanitizePath(r.Filepath, root)` but does not sanitize the destination path r.Target. The source path is checked to ensure it stays inside the chroot root, while the destination is passed directly to os.Rename(fullPath, r.Target). This allows an authenticated SFTP user to write any file outside the intended root directory. An attacker first uploads a file (e.g., key.txt) to the SFTP server, which is stored inside the restricted directory. Then, using the rename command, they specify a destination with an absolute path like /tmp/key.txt. Since the destination is not sanitized, `os.Rename` moves the file outside the chroot. The server logs show the rename operation without any rejection. This bypasses the intended path restriction and leads to arbitrary file write on the host system. The flaw is in `helper.go` lines 155–215, specifically the “Rename” case. No validation of the target path occurs. The PoC demonstrates writing to /tmp, but any writeable location can be targeted. Impact includes overwriting SSH keys, configuration files, or achieving remote code execution.
DailyCVE form:
Platform: goshs
Version: before v2.0.0-beta.3
Vulnerability: path traversal rename
Severity: Critical
date: 2026-04-02
Prediction: 2026-04-16
What Undercode Say:
Check vulnerable version goshs --version Simulate exploit sftp -P 2022 user@localhost <<EOF put key.txt rename key.txt /tmp/evil.txt EOF Verify file outside root ls /tmp/evil.txt
Exploit:
Upload any file then rename with absolute path outside chroot. Example: `rename uploaded.txt /etc/cron.d/payload`
Protection from this CVE:
Update to goshs v2.0.0-beta.3 or later. Alternatively, apply patch that sanitizes `r.Target` using same `sanitizePath` function. Restrict SFTP user permissions via filesystem ACLs or container isolation.
Impact:
Arbitrary file write leads to SSH key overwrite (persistence), config tampering, or RCE via crontab/authorized_keys. Complete host compromise possible.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

