An arbitrary file write vulnerability in goshs allows remote attackers to place files in unauthorized locations, potentially leading to system compromise.

The application fails to sanitize the target directory for multipart POST uploads. This allows an attacker to manipulate the upload destination via malicious input.

This vulnerability enables unauthorized file uploads, which can be used to place malicious scripts or overwrite system files. With a CVSS score of 9.8, this poses a high risk of complete server takeover.

Immediate Action: Update goshs to version 2.0.0-beta.3 or later.

Proactive Monitoring: Review access logs for suspicious POST requests and verify the integrity of uploaded files.

Compensating Controls: Implement strict filesystem permissions and ensure the service runs in a restricted chroot or containerized environment.

Public Exploit Available: Unknown

Immediate remediation is required to prevent unauthorized file placement. Upgrade to the latest version to ensure that input sanitization is correctly implemented for all file upload methods.