CVE-2025-70950
Directory Traversal in GoHTTP
Publication date: 2026-05-19
Last updated on: 2026-05-19
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| itang | gohttp | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a directory traversal issue in the gohttp project, specifically in the FileServer component. It allows attackers to craft a malicious request that can traverse directories on the server.
By exploiting this, an attacker can potentially access files outside the intended directory, which should normally be restricted.
How can this vulnerability impact me? :
The impact of this vulnerability is that an attacker can read arbitrary files on the server by exploiting the directory traversal flaw.
This could lead to unauthorized access to sensitive information, configuration files, or other data that should be protected.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending crafted HTTP requests that attempt directory traversal patterns to the gohttp server and observing if arbitrary files can be read.
For example, you can use curl commands to test for directory traversal by requesting paths like '../../etc/passwd' or similar traversal sequences.
- curl -v http://target-server/../../etc/passwd
- curl -v http://target-server/%2e%2e/%2e%2e/etc/passwd
If the server responds with the contents of sensitive files, it indicates the presence of the directory traversal vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the gohttp server to a version where this directory traversal vulnerability is fixed.
If an update is not immediately available, restrict access to the vulnerable service by using firewall rules or network segmentation to limit exposure.
Additionally, monitor logs for suspicious requests containing directory traversal patterns and block such requests if possible.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in gohttp allows attackers to perform directory traversal and arbitrary file read, which can lead to unauthorized access to sensitive information.
Such unauthorized access to sensitive data can potentially result in non-compliance with data protection regulations and standards like GDPR and HIPAA, which require strict controls to protect personal and health information.
However, the provided information does not specify exact impacts or compliance assessments related to these standards.