{"uuid": "05df88f7-87fb-407c-b096-db17513c3dd6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-MXG3-432P-MR72", "type": "seen", "source": "https://gist.github.com/alon710/1474aba13ecdd80a0e1ac1b868112ef1", "content": "# GHSA-MXG3-432P-MR72: GHSA-MXG3-432P-MR72: SSH Host Key Verification Disabled in goshs\n\n> **CVSS Score:** 8.1\n> **Published:** 2026-05-15\n> **Full Report:** https://cvereports.com/reports/GHSA-MXG3-432P-MR72\n\n## Summary\nA critical vulnerability in the Go-based file server goshs allows transparent Man-in-the-Middle (MITM) attacks during SSH tunnel establishment. By utilizing ssh.InsecureIgnoreHostKey() as the HostKeyCallback, versions prior to 2.0.7 fail to validate remote server identity.\n\n## TL;DR\ngoshs versions before 2.0.7 disable SSH host key verification when establishing remote tunnels. This flaw allows an attacker with a privileged network position to intercept the SSH connection and access the underlying unencrypted HTTP traffic.\n\n## Technical Details\n\n- **CWE ID**: CWE-295 (Improper Certificate Validation)\n- **Attack Vector**: Network (Adjacent/Intercepting)\n- **CVSS v3.1**: 8.1 (Estimated)\n- **Impact**: High (Confidentiality & Integrity via MITM)\n- **Exploit Status**: None (Unweaponized)\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- goshs (versions < 2.0.7)\n- **goshs**: < 2.0.7 (Fixed in: `2.0.7`)\n\n## Mitigation\n\n- Upgrade goshs to version 2.0.7 or later to ensure the Trust-On-First-Use (TOFU) mechanism is active.\n- Manually verify the SSH host key fingerprint of the tunnel provider during the first connection attempt.\n- Implement network monitoring to detect unexpected changes in SSH routing paths or anomalous intermediate hops.\n\n**Remediation Steps:**\n1. Stop any running instances of goshs.\n2. Download the v2.0.7 binary from the official GitHub releases page or rebuild the application from the tagged source.\n3. Start the updated goshs binary with the --tunnel flag.\n4. When prompted or during initial setup, compare the displayed server fingerprint against the public documentation provided by the tunnel service (e.g., localhost.run).\n5. Instruct users on how to properly handle HostKeyMismatchError alerts, explicitly forbidding the automated deletion of the known_hosts file without verification.\n\n## References\n\n- [GitHub Security Advisory: GHSA-MXG3-432P-MR72](https://github.com/advisories/GHSA-MXG3-432P-MR72)\n- [Project Repository: goshs](https://github.com/patrickhener/goshs)\n- [Fix Commit: 8f409cb08aacc6e94704334e8b1fb2cd50f5dd98](https://github.com/patrickhener/goshs/commit/8f409cb08aacc6e94704334e8b1fb2cd50f5dd98)\n- [CISA Bulletin: SB25-132](https://www.cisa.gov/news-events/bulletins/sb25-132)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-MXG3-432P-MR72) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-15T17:40:36.000000Z"}