Executive Summary

The vulnerability exists in goshs, a SimpleHTTPServer written in Go, specifically in versions prior to 2.0.2. The PUT upload handler did not have CSRF token validation, unlike the POST upload handler which was fixed earlier. Because the server also unconditionally allows any origin via the Access-Control-Allow-Origin: * header on the OPTIONS preflight handler, any website can exploit this to write arbitrary files to a goshs instance through a victim's browser. This effectively bypasses network isolation such as localhost or internal networks.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker to write arbitrary files to a goshs server instance by tricking a victim's browser into sending malicious requests. This can lead to unauthorized modification or insertion of files on the server, potentially compromising the integrity of the system or enabling further attacks. Since the attack bypasses network isolation, even internal or localhost servers running goshs could be affected.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, upgrade goshs to version 2.0.2 or later, where the issue has been patched.

This update adds CSRF token validation to the PUT upload handler and removes the unconditional Access-Control-Allow-Origin: * header on the OPTIONS preflight handler, preventing unauthorized file uploads via a victim's browser.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows arbitrary file writes through a victim's browser due to missing CSRF protection on PUT requests combined with overly permissive CORS settings. This can lead to unauthorized modification of data hosted on the goshs server.

Such unauthorized data modification could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of data integrity and prevention of unauthorized access or alteration of sensitive information.

However, the provided information does not explicitly discuss compliance implications or specific regulatory impacts.

Useful 0 Not Useful 0

Detection Guidance

To detect the presence of the CVE-2026-42091 vulnerability on your system, you should first identify if you are running a vulnerable version of goshs (version 2.0.1 or earlier).

You can check the version of goshs running on your system by using commands like:

• ps aux | grep goshs
• goshs --version

To detect exploitation attempts or the vulnerability on the network, monitor HTTP PUT requests to the goshs server, especially those coming from cross-origin sources. Since the vulnerability involves missing CSRF protection on PUT requests and permissive CORS headers, you can look for suspicious PUT requests with unusual origins.

Example commands to monitor such requests might include using tcpdump or tshark to filter HTTP PUT requests:

• sudo tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'PUT '
• tshark -Y 'http.request.method == "PUT"' -T fields -e ip.src -e http.host -e http.request.uri

Additionally, checking HTTP response headers for Access-Control-Allow-Origin: * on OPTIONS preflight requests can indicate the permissive CORS configuration that contributes to this vulnerability.

If you have access to the goshs server logs, review them for PUT requests without proper authentication or CSRF tokens.

Useful 0 Not Useful 0