CVE-2025-70950

gohttp · gohttp

A directory traversal vulnerability in gohttp allows unauthenticated attackers to access unauthorized files via crafted requests.

Executive summary

A directory traversal vulnerability in the gohttp library could allow remote attackers to read arbitrary files from the host filesystem.

Vulnerability

The vulnerability exists due to improper input validation in the gohttp library (specifically noted in commit 34ea51), allowing an unauthenticated attacker to supply a crafted request that escapes the intended directory structure.

Business impact

Successful exploitation allows unauthorized access to sensitive configuration files, source code, or system data, leading to information disclosure and potential further compromise of the application environment. With a CVSS score of 7.3, this flaw poses a serious threat to confidentiality and should be treated as a high-priority remediation item.

Remediation

Immediate Action: Update the gohttp dependency to the latest patched version provided by the maintainer or the vendor of the software incorporating this library.

Proactive Monitoring: Review web server and application access logs for directory traversal patterns, such as sequences like "../" or null-byte injections, targeting application endpoints.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules specifically configured to block directory traversal attempts and normalize URI requests.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Directory traversal vulnerabilities are frequently targeted for automated reconnaissance and data exfiltration. Organizations utilizing the gohttp library must audit their dependencies and apply updates immediately to prevent unauthorized file access.