An SFTP authentication bypass in the goshs SimpleHTTPServer allows unauthenticated attackers to access files without credentials, representing a critical security risk.

When configured with empty-username basic-auth and the -sftp flag, the server fails to initialize an SFTP password handler, effectively disabling authentication for the SFTP service.

The CVSS score of 9.8 reflects the severity of this access control failure. An attacker can remotely access the entire filesystem reachable by the goshs service, leading to full data exfiltration and potential compromise of host integrity.

Immediate Action: Upgrade to version 2.0.0-beta.6 or later immediately to resolve the SFTP authentication bypass.

Proactive Monitoring: Inspect SFTP access logs for connections originating from unexpected IP addresses or connections that successfully authenticate despite invalid or empty credentials.

Compensating Controls: If upgrading is not immediately feasible, disable the SFTP service or restrict network access to the server to prevent unauthorized connections.

Public Exploit Available: No

This vulnerability is a significant oversight in authentication logic. Users of goshs should update to 2.0.0-beta.6 immediately to ensure that SFTP access is correctly protected by password verification.