CVE-2026-42091
goshs has Cross-Origin Arbitrary File Write via Missing CSRF on PUT and Wildcard CORS
Description
### Summary The PUT upload handler (`httpserver/updown.go`) lacks the CSRF token validation that was added to the POST upload handler during the GHSA-jrq5-hg6x-j6g3 fix. Combined with the unconditional `Access-Control-Allow-Origin: *` on the OPTIONS preflight handler (`httpserver/server.go`), any website can write arbitrary files to a goshs instance through the victim's browser — bypassing network isolation (e.g. localhost, internal network). ### Details **Root Cause 1 — Missing CSRF on PUT** (`httpserver/updown.go:19`) When GHSA-jrq5-hg6x-j6g3 was fixed (commit `e3c3d37`), `checkCSRF()` was added to the POST `upload()` function (line 78) but not to the PUT `put()` function directly above it in the same file. This means PUT requests are accepted without any CSRF token. ```go // POST — protected func (fs *FileServer) upload(w http.ResponseWriter, req *http.Request) { if !fs.checkCSRF(w, req) { return } // ... } // PUT — unprotected func (fs *FileServer) put(w http.ResponseWriter, req *http.Request) { // No checkCSRF call // ... } ``` **Root Cause 2 — Wildcard CORS** (`httpserver/server.go:126`) The OPTIONS handler unconditionally returns permissive CORS headers: ```go w.Header().Set("Access-Control-Allow-Origin", "*") w.Header().Set("Access-Control-Allow-Methods", "POST, PUT, OPTIONS") w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Authorization") ``` This allows any website's JavaScript to pass the browser's CORS preflight check and send PUT requests to the goshs server. ### PoC [poc.zip](https://github.com/user-attachments/files/26828829/poc.zip) Please extract the uploaded compressed file before proceeding 1. bash poc.sh <img width="543" height="376" alt="스크린샷 2026-04-17 오후 11 08 13" src="https://github.com/user-attachments/assets/a695cbc8-133e-4e80-a2f5-9fe9fd36b569" /> ### Impact - Arbitrary file write to the goshs webroot from any website the victim visits - File overwrite — existing files can be silently replaced
How to fix CVE-2026-42091
To remediate CVE-2026-42091, upgrade the affected package to a fixed version below.
- —no fix listed
- —upgrade to 2.0.2 or later