GHSA-5h6h-7rc9-3824: SFTP root escape via prefix-based path validation in goshs

April 14, 2026

goshs contains an SFTP root escape caused by prefix-based path validation. An authenticated SFTP user can read from and write to filesystem paths outside the configured SFTP root, which breaks the intended jail boundary and can expose or modify unrelated server files.

References

github.com/advisories/GHSA-5h6h-7rc9-3824
github.com/patrickhener/goshs
github.com/patrickhener/goshs/releases/tag/v2.0.0
github.com/patrickhener/goshs/security/advisories/GHSA-5h6h-7rc9-3824

Code Behaviors & Features

Detect and mitigate GHSA-5h6h-7rc9-3824 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →