A path traversal vulnerability in goshs allows remote attackers to delete arbitrary files on the host system, threatening system availability.

The deleteFile() function fails to return after a path traversal check, causing the application to proceed with the deletion operation despite the check failing.

An attacker can delete sensitive system files, leading to a denial-of-service or the destruction of critical data. With a CVSS score of 9.8, this flaw represents a significant risk to system stability and integrity.

Immediate Action: Update goshs to version 2.0.0-beta.3 or later.

Proactive Monitoring: Monitor logs for unauthorized file deletion attempts and unexpected service outages.

Compensating Controls: Ensure the service account has minimal filesystem permissions, restricted only to the directories required for operation.

Public Exploit Available: Unknown

The failure to properly handle validation returns is a critical logic error. Administrators must update to the latest version immediately to ensure that path validation is enforced correctly.