GHSA-MXG3-432P-MR72

Vulnerability from github – Published: 2026-05-15 17:17 – Updated: 2026-05-15 17:17
VLAI
Summary
goshs: SSH host key verification disabled, allowing transparent MITM of every tunnelled HTTP request
Details

Summary

The --tunnel / -t flag opens an outbound SSH connection to localhost.run:22 with HostKeyCallback: ssh.InsecureIgnoreHostKey(). The Go documentation for that function states verbatim: "It should not be used for production code." With the callback disabled the client accepts any host key the server presents, so an attacker who can intercept the operator's TCP connection to localhost.run:22 (any router on the path, malicious local network, ARP/DNS spoof on the operator's LAN, BGP hijack, malicious VPN) can present their own SSH host key, terminate the SSH session locally, and proxy onward — sitting transparently in the middle of the tunnel.

Because localhost.run does TLS termination at their end, the HTTP traffic on the SSH leg is plaintext, so the on-path attacker reads and rewrites every request and response in cleartext. The goshs operator gets no warning; the public URL works normally.

Affected Code

File: tunnel/tunnel.go

func Start(localIP string, localPort int) (*Tunnel, error) {
    config := &ssh.ClientConfig{
        User:            "nokey",
        Auth:            []ssh.AuthMethod{ssh.Password("")},
        HostKeyCallback: ssh.InsecureIgnoreHostKey(), // accepts any server key
        Timeout:         10 * time.Second,
        BannerCallback:  func(banner string) error { return nil },
    }
    client, err := ssh.Dial("tcp", "localhost.run:22", config)
    ...
}

There is no fallback verification — no ssh.FixedHostKey, no known_hosts read, no TOFU pin. Every invocation of goshs --tunnel is equally vulnerable.

Exploit Chain

  1. Operator runs goshs --tunnel. tunnel.Start() opens an SSH client to localhost.run:22 with InsecureIgnoreHostKey().
  2. Attacker positioned on the network path (compromised router, café Wi-Fi MITM, malicious VPN exit, hostile ISP, BGP hijack, or arpspoof + DNS spoof on the operator's LAN) intercepts the outbound TCP connection to localhost.run:22 and answers with their own SSH server.
  3. The attacker's fake SSH server presents an attacker-generated host key. The goshs client's HostKeyCallback returns nil unconditionally. Handshake completes; the client believes it is talking to localhost.run.
  4. The attacker proxies the SSH session onward to the real localhost.run:22, forwarding the URL capture so Start() reads back the genuine https://*.lhr.life line and returns successfully. The operator sees the public URL printed to stdout exactly as expected.
  5. Every HTTP request arriving at the public URL is routed over the SSH session. The attacker reads every URL, query string, header, body, and Authorization value sent by every visitor.
  6. For each response the attacker can rewrite the body or headers — serving modified files, injecting HTML/JS, redirecting requests, or stripping Set-Cookie attributes.
  7. Captured basic-auth credentials give the attacker authenticated access to upload, share-link, catcher, clipboard, and CLI endpoints. If goshs is running credential-collection listeners (SMB/LDAP/SMTP), the captured NTLM hashes and SMTP messages flowing through the tunnel are also exposed.

Impact

  • Confidentiality (High): all HTTP request and response content is readable by the on-path attacker (URLs, headers, basic-auth Authorization, file contents, share-link tokens, the ?goshs-info JSON dump).
  • Integrity (High): attacker can modify responses in-flight — replace served files, inject <script> into HTML responses, swap offered binaries for backdoored ones.
  • Availability: not affected.

Preconditions

  • Operator must be running goshs --tunnel / goshs -t.
  • Attacker must hold a network-on-path position between the operator and localhost.run:22 (LAN MITM, malicious Wi-Fi, hostile ISP/VPN, BGP hijack, or DNS spoofing combined with an attacker-controlled SSH endpoint).

Fix (applied in v2.0.7)

ssh.InsecureIgnoreHostKey() has been replaced with a Trust-On-First-Use (TOFU) host key callback backed by ~/.config/goshs/known_hosts.

Behaviour after the fix:

  • On first connection: goshs accepts the host key presented by localhost.run, writes it to ~/.config/goshs/known_hosts (mode 0600), and prints two warning lines: WARN tunnel: pinned new host key for localhost.run:22 (SHA256:<fingerprint>) in ~/.config/goshs/known_hosts WARN tunnel: verify with: ssh-keyscan localhost.run 2>/dev/null | ssh-keygen -l -f - The operator should compare the printed fingerprint against the ssh-keyscan output to confirm no MITM occurred on that first connection.

  • On subsequent connections: the stored key is loaded via golang.org/x/crypto/ssh/knownhosts and the presented key is verified against it. A mismatch returns a typed HostKeyMismatchError and goshs exits immediately with: FATAL tunnel: ssh: host key mismatch for localhost.run:22 — possible MITM attack. If localhost.run legitimately rotated its key, delete ~/.config/goshs/known_hosts and reconnect

Files changed:

File Change
config/config.go Added Dir() — creates and returns ~/.config/goshs (mode 0700)
main.go Calls config.Dir() on every startup to ensure the directory exists
tunnel/tunnel.go Replaced InsecureIgnoreHostKey() with buildTOFUCallback(knownHostsFile); added exported HostKeyMismatchError type
httpserver/server.go Resolves ~/.config/goshs/known_hosts via config.Dir(), passes it to tunnel.Start(); fatal-exits on HostKeyMismatchError

Implementation uses only already-vendored dependencies (golang.org/x/crypto/ssh/knownhosts is part of the existing golang.org/x/crypto direct dependency — no new modules added).

Severity
7.4 (High)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.0.6"
      },
      "package": {
        "ecosystem": "Go",
        "name": "goshs.de/goshs/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-295",
      "CWE-322"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-15T17:17:38Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nThe `--tunnel` / `-t` flag opens an outbound SSH connection to `localhost.run:22` with `HostKeyCallback: ssh.InsecureIgnoreHostKey()`. The Go documentation for that function states verbatim: *\"It should not be used for production code.\"* With the callback disabled the client accepts any host key the server presents, so an attacker who can intercept the operator\u0027s TCP connection to `localhost.run:22` (any router on the path, malicious local network, ARP/DNS spoof on the operator\u0027s LAN, BGP hijack, malicious VPN) can present their own SSH host key, terminate the SSH session locally, and proxy onward \u2014 sitting transparently in the middle of the tunnel.\n\nBecause `localhost.run` does TLS termination at their end, the HTTP traffic on the SSH leg is plaintext, so the on-path attacker reads and rewrites every request and response in cleartext. The goshs operator gets no warning; the public URL works normally.\n\n### Affected Code\n\n**File:** `tunnel/tunnel.go`\n\n```go\nfunc Start(localIP string, localPort int) (*Tunnel, error) {\n    config := \u0026ssh.ClientConfig{\n        User:            \"nokey\",\n        Auth:            []ssh.AuthMethod{ssh.Password(\"\")},\n        HostKeyCallback: ssh.InsecureIgnoreHostKey(), // accepts any server key\n        Timeout:         10 * time.Second,\n        BannerCallback:  func(banner string) error { return nil },\n    }\n    client, err := ssh.Dial(\"tcp\", \"localhost.run:22\", config)\n    ...\n}\n```\n\nThere is no fallback verification \u2014 no `ssh.FixedHostKey`, no `known_hosts` read, no TOFU pin. Every invocation of `goshs --tunnel` is equally vulnerable.\n\n### Exploit Chain\n\n1. Operator runs `goshs --tunnel`. `tunnel.Start()` opens an SSH client to `localhost.run:22` with `InsecureIgnoreHostKey()`.\n2. Attacker positioned on the network path (compromised router, caf\u00e9 Wi-Fi MITM, malicious VPN exit, hostile ISP, BGP hijack, or `arpspoof` + DNS spoof on the operator\u0027s LAN) intercepts the outbound TCP connection to `localhost.run:22` and answers with their own SSH server.\n3. The attacker\u0027s fake SSH server presents an attacker-generated host key. The goshs client\u0027s `HostKeyCallback` returns nil unconditionally. Handshake completes; the client believes it is talking to `localhost.run`.\n4. The attacker proxies the SSH session onward to the real `localhost.run:22`, forwarding the URL capture so `Start()` reads back the genuine `https://*.lhr.life` line and returns successfully. The operator sees the public URL printed to stdout exactly as expected.\n5. Every HTTP request arriving at the public URL is routed over the SSH session. The attacker reads every URL, query string, header, body, and `Authorization` value sent by every visitor.\n6. For each response the attacker can rewrite the body or headers \u2014 serving modified files, injecting HTML/JS, redirecting requests, or stripping `Set-Cookie` attributes.\n7. Captured basic-auth credentials give the attacker authenticated access to upload, share-link, catcher, clipboard, and CLI endpoints. If goshs is running credential-collection listeners (SMB/LDAP/SMTP), the captured NTLM hashes and SMTP messages flowing through the tunnel are also exposed.\n\n### Impact\n\n- **Confidentiality (High):** all HTTP request and response content is readable by the on-path attacker (URLs, headers, basic-auth `Authorization`, file contents, share-link tokens, the `?goshs-info` JSON dump).\n- **Integrity (High):** attacker can modify responses in-flight \u2014 replace served files, inject `\u003cscript\u003e` into HTML responses, swap offered binaries for backdoored ones.\n- **Availability:** not affected.\n\n### Preconditions\n\n- Operator must be running `goshs --tunnel` / `goshs -t`.\n- Attacker must hold a network-on-path position between the operator and `localhost.run:22` (LAN MITM, malicious Wi-Fi, hostile ISP/VPN, BGP hijack, or DNS spoofing combined with an attacker-controlled SSH endpoint).\n\n---\n\n### Fix (applied in v2.0.7)\n\n`ssh.InsecureIgnoreHostKey()` has been replaced with a **Trust-On-First-Use (TOFU)** host key callback backed by `~/.config/goshs/known_hosts`.\n\n**Behaviour after the fix:**\n\n- On **first connection**: goshs accepts the host key presented by `localhost.run`, writes it to `~/.config/goshs/known_hosts` (mode `0600`), and prints two warning lines:\n  ```\n  WARN  tunnel: pinned new host key for localhost.run:22 (SHA256:\u003cfingerprint\u003e) in ~/.config/goshs/known_hosts\n  WARN  tunnel: verify with: ssh-keyscan localhost.run 2\u003e/dev/null | ssh-keygen -l -f -\n  ```\n  The operator should compare the printed fingerprint against the `ssh-keyscan` output to confirm no MITM occurred on that first connection.\n\n- On **subsequent connections**: the stored key is loaded via `golang.org/x/crypto/ssh/knownhosts` and the presented key is verified against it. A mismatch returns a typed `HostKeyMismatchError` and goshs exits immediately with:\n  ```\n  FATAL tunnel: ssh: host key mismatch for localhost.run:22 \u2014 possible MITM attack.\n        If localhost.run legitimately rotated its key, delete ~/.config/goshs/known_hosts and reconnect\n  ```\n\n**Files changed:**\n\n| File | Change |\n|------|--------|\n| `config/config.go` | Added `Dir()` \u2014 creates and returns `~/.config/goshs` (mode `0700`) |\n| `main.go` | Calls `config.Dir()` on every startup to ensure the directory exists |\n| `tunnel/tunnel.go` | Replaced `InsecureIgnoreHostKey()` with `buildTOFUCallback(knownHostsFile)`; added exported `HostKeyMismatchError` type |\n| `httpserver/server.go` | Resolves `~/.config/goshs/known_hosts` via `config.Dir()`, passes it to `tunnel.Start()`; fatal-exits on `HostKeyMismatchError` |\n\n**Implementation uses only already-vendored dependencies** (`golang.org/x/crypto/ssh/knownhosts` is part of the existing `golang.org/x/crypto` direct dependency \u2014 no new modules added).",
  "id": "GHSA-mxg3-432p-mr72",
  "modified": "2026-05-15T17:17:38Z",
  "published": "2026-05-15T17:17:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-mxg3-432p-mr72"
    },
    {
      "type": "WEB",
      "url": "https://github.com/patrickhener/goshs/commit/8f409cb08aacc6e94704334e8b1fb2cd50f5dd98"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/patrickhener/goshs"
    },
    {
      "type": "WEB",
      "url": "https://github.com/patrickhener/goshs/releases/tag/v2.0.7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "goshs: SSH host key verification disabled, allowing transparent MITM of every tunnelled HTTP request"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.