CVE-2026-42091
MEDIUM6.5EPSS 0.01%goshs has Cross-Origin Arbitrary File Write via Missing CSRF on PUT and Wildcard CORS
描述
### Summary The PUT upload handler (`httpserver/updown.go`) lacks the CSRF token validation that was added to the POST upload handler during the GHSA-jrq5-hg6x-j6g3 fix. Combined with the unconditional `Access-Control-Allow-Origin: *` on the OPTIONS preflight handler (`httpserver/server.go`), any website can write arbitrary files to a goshs instance through the victim's browser — bypassing network isolation (e.g. localhost, internal network). ### Details **Root Cause 1 — Missing CSRF on PUT** (`httpserver/updown.go:19`) When GHSA-jrq5-hg6x-j6g3 was fixed (commit `e3c3d37`), `checkCSRF()` was added to the POST `upload()` function (line 78) but not to the PUT `put()` function directly above it in the same file. This means PUT requests are accepted without any CSRF token. ```go // POST — protected func (fs *FileServer) upload(w http.ResponseWriter, req *http.Request) { if !fs.checkCSRF(w, req) { return } // ... } // PUT — unprotected func (fs *FileServer) put(w http.ResponseWriter, req *http.Request) { // No checkCSRF call // ... } ``` **Root Cause 2 — Wildcard CORS** (`httpserver/server.go:126`) The OPTIONS handler unconditionally returns permissive CORS headers: ```go w.Header().Set("Access-Control-Allow-Origin", "*") w.Header().Set("Access-Control-Allow-Methods", "POST, PUT, OPTIONS") w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Authorization") ``` This allows any website's JavaScript to pass the browser's CORS preflight check and send PUT requests to the goshs server. ### PoC [poc.zip](https://github.com/user-attachments/files/26828829/poc.zip) Please extract the uploaded compressed file before proceeding 1. bash poc.sh <img width="543" height="376" alt="스크린샷 2026-04-17 오후 11 08 13" src="https://github.com/user-attachments/assets/a695cbc8-133e-4e80-a2f5-9fe9fd36b569" /> ### Impact - Arbitrary file write to the goshs webroot from any website the victim visits - File overwrite — existing files can be silently replaced
受影響套件(2)
- Go/github.com/patrickhener/goshsfrom 0, <= 1.1.4
- Go/github.com/patrickhener/goshs/v2from 0, < 2.0.2
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |
參考連結(5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-42091
- PATCHhttps://github.com/patrickhener/goshs
- WEBhttps://github.com/patrickhener/goshs/commit/0e715b94e10c3d1aa552276000f15f104dee2f32
- WEBhttps://github.com/patrickhener/goshs/releases/tag/v2.0.2
- WEBhttps://github.com/patrickhener/goshs/security/advisories/GHSA-rhf7-wvw3-vjvm