📄 Description (English)
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP root escape caused by prefix-based path validation. An authenticated SFTP user can read from and write to filesystem paths outside the configured SFTP root, which breaks the intended jail boundary and can expose or modify unrelated server files. The SFTP subsystem routes requests through sftpserver/sftpserver.go into DefaultHandler.GetHandler() in sftpserver/handler.go, which forwards file operations into readFile, writeFile, listFile, and cmdFile. All of those sinks rely on sanitizePath() in sftpserver/helper.go. helper.go uses a raw string-prefix comparison, not a directory-boundary check. Because of that, if the configured root is /tmp/goshsroot, then a sibling path such as /tmp/goshsroot_evil/secret.txt incorrectly passes validation since it starts with the same byte prefix. This vulnerability is fixed in 2.0.0-beta.6.
🤖 AI Executive Summary
CVE-2026-40876 is a critical path traversal vulnerability in goshs (SimpleHTTPServer in Go) affecting versions prior to 2.0.0-beta.6. An authenticated SFTP user can escape the configured root directory using prefix-based path validation flaws, allowing unauthorized read/write access to arbitrary filesystem paths. With CVSS 8.8 and active exploits available, this poses immediate risk to organizations using goshs for SFTP services.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 25, 2026 01:54
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using goshs for SFTP file transfer services face critical risk, particularly: (1) Government agencies and NCA infrastructure relying on goshs for secure file exchange; (2) Banking sector (SAMA-regulated) if goshs is used for inter-bank file transfers or regulatory reporting; (3) Energy sector (ARAMCO, SEC) if goshs manages operational technology file transfers; (4) Telecom providers (STC, Mobily) using goshs for network management file distribution; (5) Healthcare institutions managing patient data via SFTP. The vulnerability allows authenticated attackers to access sensitive files outside intended boundaries, potentially exposing classified government documents, financial records, or critical infrastructure configurations.
🏢 Affected Saudi Sectors
Government
Banking
Energy
Telecommunications
Healthcare
Defense
Critical Infrastructure
🎯 MITRE ATT&CK Techniques
T1021.004 - Remote Services: SSH (SFTP protocol exploitation)
T1083 - File and Directory Discovery (unauthorized file enumeration via path traversal)
T1005 - Data from Local System (unauthorized file access outside intended boundaries)
T1040 - Network Sniffing (potential credential capture during SFTP sessions)
T1021 - Remote Services (authenticated SFTP user exploitation)
T1552.001 - Unsecured Credentials (exposure of sensitive files via path traversal)
⚖️ Saudi Risk Score (AI)
9.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all goshs instances in your environment: scan for SFTP services on ports 22, 2222, or custom ports running goshs
2. Restrict SFTP access: implement network-level controls (firewall rules, VPN requirements) to limit authenticated SFTP user access
3. Audit SFTP logs: review sftpserver logs for suspicious path traversal attempts (paths containing '..' or sibling directory references like '/tmp/goshsroot_*')
4. Disable goshs SFTP if not critical: consider disabling SFTP subsystem until patched
PATCHING GUIDANCE:
1. Upgrade to goshs 2.0.0-beta.6 or later immediately when available
2. If upgrade unavailable, apply compensating controls (see below)
COMPENSATING CONTROLS (if patch unavailable):
1. Implement filesystem-level restrictions: use chroot jails or containerization (Docker with read-only root filesystem) to isolate goshs process
2. Apply SELinux/AppArmor policies: restrict goshs process to only access designated SFTP root directory
3. Monitor file access: enable auditd rules to log all file access attempts by goshs process
4. Implement strict RBAC: limit SFTP user accounts to minimal required permissions
DETECTION RULES:
1. Monitor for path traversal patterns in SFTP logs: regex pattern '(\.\.|\/tmp\/goshsroot_|sibling_dir)'
2. Alert on file access outside configured root: auditd rule 'audit -w /tmp/goshsroot -p wa -k goshs_boundary'
3. IDS/IPS signature: detect SFTP commands with path prefixes matching root directory name followed by additional characters
4. Log analysis: search for SFTP operations on files with timestamps indicating unauthorized access
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع مثيلات goshs في بيئتك: مسح خدمات SFTP على المنافذ 22 أو 2222 أو المنافذ المخصصة التي تقوم بتشغيل goshs
2. تقييد وصول SFTP: تنفيذ عناصر تحكم على مستوى الشبكة (قواعد جدار الحماية ومتطلبات VPN) لتحديد وصول مستخدم SFTP المصرح به
3. تدقيق سجلات SFTP: مراجعة سجلات sftpserver للكشف عن محاولات اجتياز المسار المريبة (المسارات التي تحتوي على '..' أو مراجع الدليل الشقيق)
4. تعطيل SFTP في goshs إذا لم تكن حرجة: فكر في تعطيل نظام فرعي SFTP حتى يتم إصلاحه
إرشادات التصحيح:
1. الترقية إلى goshs 2.0.0-beta.6 أو إصدار أحدث فوراً عند توفره
2. إذا كان الترقية غير متاحة، طبق عناصر تحكم تعويضية
عناصر التحكم التعويضية:
1. تنفيذ القيود على مستوى نظام الملفات: استخدام أقفال chroot أو الحاويات (Docker مع نظام ملفات جذر للقراءة فقط)
2. تطبيق سياسات SELinux/AppArmor: تقييد عملية goshs للوصول فقط إلى دليل جذر SFTP المعين
3. مراقبة الوصول إلى الملفات: تفعيل قواعد auditd لتسجيل جميع محاولات الوصول إلى الملفات بواسطة عملية goshs
4. تنفيذ RBAC صارم: تحديد حسابات مستخدمي SFTP بأقل الأذونات المطلوبة
قواعد الكشف:
1. مراقبة أنماط اجتياز المسار في سجلات SFTP: نمط regex '(\.\.|\/tmp\/goshsroot_|sibling_dir)'
2. تنبيه الوصول إلى الملفات خارج الجذر المكون: قاعدة auditd 'audit -w /tmp/goshsroot -p wa -k goshs_boundary'
3. توقيع IDS/IPS: الكشف عن أوامر SFTP مع بادئات المسار التي تطابق اسم دليل الجذر متبوعة بأحرف إضافية
4. تحليل السجل: البحث عن عمليات SFTP على الملفات مع الطوابع الزمنية التي تشير إلى وصول غير مصرح به
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Access Control Policy (unauthorized file access via path traversal)
ECC 2024 A.8.2.1 - User Access Management (authenticated user escaping intended boundaries)
ECC 2024 A.12.4.1 - Event Logging (insufficient path validation logging)
ECC 2024 A.14.2.1 - System Development and Maintenance (secure coding practices for path validation)
🔵 SAMA CSF
SAMA CSF ID.AM-2 - Asset Management (inventory and control of SFTP services)
SAMA CSF PR.AC-1 - Access Control (authentication and authorization mechanisms)
SAMA CSF PR.AC-3 - Access Enforcement (boundary enforcement for file system access)
SAMA CSF DE.CM-1 - Detection and Analysis (monitoring for unauthorized file access)
🟡 ISO 27001:2022
ISO 27001:2022 A.5.15 - Access Control (access to information and other assets)
ISO 27001:2022 A.8.3 - Cryptography (secure file transfer mechanisms)
ISO 27001:2022 A.8.22 - Information Security Incident Management (detection of path traversal attempts)
ISO 27001:2022 A.14.2.1 - Secure development policy (input validation and path sanitization)
🟣 PCI DSS v4.0.1
PCI DSS 1.1 - Firewall Configuration Standards (network segmentation for SFTP services)
PCI DSS 2.2.4 - Configure System Security Parameters (secure SFTP configuration)
PCI DSS 6.5.1 - Injection Flaws (path traversal is a form of injection vulnerability)
PCI DSS 10.2 - Implement Automated Audit Trails (logging of SFTP file access)
🔗 References & Sources 2
📦 Affected Products / CPE 6 entries
goshs:goshs
goshs:goshs:2.0.0
goshs:goshs:2.0.0
goshs:goshs:2.0.0
goshs:goshs:2.0.0
goshs:goshs:2.0.0