Primary

Context

goshs Path Traversal Vulnerability in POST Multipart Upload

Vulnerability

A path traversal vulnerability has been identified in goshs versions through 2.0.0-beta.2. The issue arises in the POST multipart upload handling, where the upload directory is not properly sanitized. This flaw allows for unauthenticated arbitrary file writes to any existing directory on the filesystem.

Impact

Exploitation of this vulnerability allows for unauthenticated users to write files arbitrarily to any directory on the filesystem, potentially overwriting existing files.

Reproduction

To reproduce this vulnerability, send a POST request to the '/<path>/upload' endpoint. The request must include a multipart file upload. The vulnerability can be exploited by including '../..' in the URL path to traverse out of the webroot and into the filesystem, taking advantage of the unsanitized upload directory handling.

Remediation

Users are advised to update to goshs version 2.0.0-beta.3 or later, where this vulnerability has been fixed.

Added: Apr 6, 2026, 9:22 PM

Updated: Apr 6, 2026, 9:22 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

8.7

remediation

0.0

relevance

5.4

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

8.7

remediation

0.0

relevance

5.4

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

goshs Path Traversal Vulnerability in POST Multipart Upload

Vulnerability

Impact

Reproduction

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating