CVE-2025-70950

Vulnerability

The gohttp HTTP server (all commits up to and including 34ea516ae408945398bb0a399b18355fa4abba42) contains a path traversal vulnerability in fileserver.go at line 162. The server constructs filesystem paths by concatenating the configured Webroot with the user-supplied request URI without proper normalization or boundary enforcement. No authentication is required to reach the vulnerable code path.

Exploitation

An unauthenticated remote attacker with network access to the gohttp server can exploit this by sending a crafted HTTP request containing directory traversal sequences (e.g., ../) in the query string. For example, curl http://localhost:9000/?../../../../../../../../../etc/passwd will retrieve the contents of /etc/passwd [1][2]. No special privileges or user interaction are required.

Impact

Successful exploitation allows the attacker to read arbitrary files on the server filesystem, subject to the permissions of the gohttp process. This can lead to disclosure of sensitive information such as configuration files, credentials, or system files (e.g., /etc/passwd). The vulnerability does not enable code execution or file modification.

Mitigation

As of the publication date, no upstream fix has been confirmed [1][2]. Users should restrict network access to the gohttp server (e.g., via firewall rules), deploy a reverse proxy that validates and sanitizes request paths, or avoid using gohttp in production environments until a patch is released. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.