Summary
The --tunnel / -t flag opens an outbound SSH connection to localhost.run:22 with HostKeyCallback: ssh.InsecureIgnoreHostKey(). The Go documentation for that function states verbatim: "It should not be used for production code." With the callback disabled the client accepts any host key the server presents, so an attacker who can intercept the operator's TCP connection to localhost.run:22 (any router on the path, malicious local network, ARP/DNS spoof on the operator's LAN, BGP hijack, malicious VPN) can present their own SSH host key, terminate the SSH session locally, and proxy onward, sitting transparently in the middle of the tunnel.
Because localhost.run does TLS termination at their end, the HTTP traffic on the SSH leg is plaintext, so the on-path attacker reads and rewrites every request and response in cleartext. The goshs operator gets no warning; the public URL works normally.
Affected Code
File: tunnel/tunnel.go
func Start(localIP string, localPort int) (*Tunnel, error) {
config := &ssh.ClientConfig{
User: "nokey",
Auth: []ssh.AuthMethod{ssh.Password("")},
HostKeyCallback: ssh.InsecureIgnoreHostKey(), // accepts any server key
Timeout: 10 * time.Second,
BannerCallback: func(banner string) error { return nil },
}
client, err := ssh.Dial("tcp", "localhost.run:22", config)
...
}
There is no fallback verification, no ssh.FixedHostKey, no known_hosts read, no TOFU pin. Every invocation of goshs --tunnel is equally vulnerable.
Exploit Chain
- Operator runs
goshs --tunnel.tunnel.Start()opens an SSH client tolocalhost.run:22withInsecureIgnoreHostKey(). - Attacker positioned on the network path (compromised router, café Wi-Fi MITM, malicious VPN exit, hostile ISP, BGP hijack, or
arpspoof+ DNS spoof on the operator's LAN) intercepts the outbound TCP connection tolocalhost.run:22and answers with their own SSH server. - The attacker's fake SSH server presents an attacker-generated host key. The goshs client's
HostKeyCallbackreturns nil unconditionally. Handshake completes; the client believes it is talking tolocalhost.run. - The attacker proxies the SSH session onward to the real
localhost.run:22, forwarding the URL capture soStart()reads back the genuinehttps://*.lhr.lifeline and returns successfully. The operator sees the public URL printed to stdout exactly as expected. - Every HTTP request arriving at the public URL is routed over the SSH session. The attacker reads every URL, query string, header, body, and
Authorizationvalue sent by every visitor. - For each response the attacker can rewrite the body or headers, serving modified files, injecting HTML/JS, redirecting requests, or stripping
Set-Cookieattributes. - Captured basic-auth credentials give the attacker authenticated access to upload, share-link, catcher, clipboard, and CLI endpoints. If goshs is running credential-collection listeners (SMB/LDAP/SMTP), the captured NTLM hashes and SMTP messages flowing through the tunnel are also exposed.
Preconditions
- Operator must be running
goshs --tunnel/goshs -t. - Attacker must hold a network-on-path position between the operator and
localhost.run:22(LAN MITM, malicious Wi-Fi, hostile ISP/VPN, BGP hijack, or DNS spoofing combined with an attacker-controlled SSH endpoint).
Fix (applied in v2.0.7)
ssh.InsecureIgnoreHostKey() has been replaced with a Trust-On-First-Use (TOFU) host key callback backed by ~/.config/goshs/known_hosts.
Behaviour after the fix:
On first connection: goshs accepts the host key presented by
localhost.run, writes it to~/.config/goshs/known_hosts(mode0600), and prints two warning lines:WARN tunnel: pinned new host key for localhost.run:22 (SHA256:<fingerprint>) in ~/.config/goshs/known_hosts WARN tunnel: verify with: ssh-keyscan localhost.run 2>/dev/null | ssh-keygen -l -f -The operator should compare the printed fingerprint against the
ssh-keyscanoutput to confirm no MITM occurred on that first connection.On subsequent connections: the stored key is loaded via
golang.org/x/crypto/ssh/knownhostsand the presented key is verified against it. A mismatch returns a typedHostKeyMismatchErrorand goshs exits immediately with:FATAL tunnel: ssh: host key mismatch for localhost.run:22, possible MITM attack. If localhost.run legitimately rotated its key, delete ~/.config/goshs/known_hosts and reconnect
Files changed:
| File | Change |
|---|---|
config/config.go |
Added Dir(), creates and returns ~/.config/goshs (mode 0700) |
main.go |
Calls config.Dir() on every startup to ensure the directory exists |
tunnel/tunnel.go |
Replaced InsecureIgnoreHostKey() with buildTOFUCallback(knownHostsFile); added exported HostKeyMismatchError type |
httpserver/server.go |
Resolves ~/.config/goshs/known_hosts via config.Dir(), passes it to tunnel.Start(); fatal-exits on HostKeyMismatchError |
Implementation uses only already-vendored dependencies (golang.org/x/crypto/ssh/knownhosts is part of the existing golang.org/x/crypto direct dependency, no new modules added).
Impact
- Confidentiality (High): all HTTP request and response content is readable by the on-path attacker (URLs, headers, basic-auth
Authorization, file contents, share-link tokens, the?goshs-infoJSON dump). - Integrity (High): attacker can modify responses in-flight, replace served files, inject
<script>into HTML responses, swap offered binaries for backdoored ones. - Availability: not affected.
GHSA-MXG3-432P-MR72 has a CVSS score of 7.4 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2.0.7); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is GHSA-MXG3-432P-MR72? GHSA-MXG3-432P-MR72 is a high-severity security vulnerability in goshs.de/goshs/v2 (go), affecting versions <= 2.0.6. It is fixed in 2.0.7.
- How severe is GHSA-MXG3-432P-MR72? GHSA-MXG3-432P-MR72 has a CVSS score of 7.4 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of goshs.de/goshs/v2 are affected by GHSA-MXG3-432P-MR72? goshs.de/goshs/v2 (go) versions <= 2.0.6 is affected.
- Is there a fix for GHSA-MXG3-432P-MR72? Yes. GHSA-MXG3-432P-MR72 is fixed in 2.0.7. Upgrade to this version or later.
- Is GHSA-MXG3-432P-MR72 exploitable, and should I be worried? Whether GHSA-MXG3-432P-MR72 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether GHSA-MXG3-432P-MR72 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix GHSA-MXG3-432P-MR72? Upgrade
goshs.de/goshs/v2to 2.0.7 or later.