An arbitrary file write vulnerability in goshs allows remote attackers to upload or overwrite files on the host system, potentially leading to full system compromise.

The PUT upload functionality in httpserver/updown.go lacks path sanitization. An attacker can supply malicious paths to write files outside the intended directory.

This vulnerability allows attackers to overwrite critical configuration files or upload web shells, leading to arbitrary code execution. With a CVSS score of 9.8, this constitutes a severe risk to the availability and integrity of the hosting server.

Immediate Action: Update goshs to version 2.0.0-beta.3 or later.

Proactive Monitoring: Monitor web server logs for suspicious PUT requests containing directory traversal sequences (e.g., ../).

Compensating Controls: Run the service with the least privilege possible and use filesystem-level restrictions to prevent unauthorized writes to sensitive directories.

Public Exploit Available: Unknown

The lack of path sanitization is a critical oversight. Administrators must upgrade to the latest beta version immediately and ensure that the service is isolated from sensitive system paths.