Goshs

v2.1.0 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 5d Offensive & Pentesting

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 2 known CVEs

Topics

capture-the-flag ctf devtools dns file-server file-transfer

+14 more

go http-server https-server kali-linux ldap ntlm offensive-security penetration-testing red-teaming security-tools sftp smb smtp-server webdav

Affected surfaces

auth

ReleasePort's take

Moderate signal

editorial:auto 5d

Version v2.1.0 resolves a Share‑link token race condition and ensures WebDAV listeners honor read‑only, upload‑only, and no‑delete flags.

Why it matters: Fixes GHSA-j48m-h7xq-2xpj (severity 90) preventing download‑limit races; fixes GHSA-3whc-qvhv-xqjp (severity 85) making WebDAV flag enforcement reliable.

Summary

AI summary

Security fixes for Share‑link race and WebDAV flag handling, bug fixes across multiple modules, and project repository relocation.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Fixes GHSA-j48m-h7xq-2xpj: prevents Share-link token redemption races past download limit. Fixes GHSA-j48m-h7xq-2xpj: prevents Share-link token redemption races past download limit. Source: llm_adapter@2026-05-29 Confidence: high	—
Security	High	Fixes GHSA-3whc-qvhv-xqjp: WebDAV listener now respects --read-only, --upload-only, and --no-delete flags. Fixes GHSA-3whc-qvhv-xqjp: WebDAV listener now respects --read-only, --upload-only, and --no-delete flags. Source: llm_adapter@2026-05-29 Confidence: high	—
Bugfix
Bugfix	Medium	WebSocket handlers enforce same‑host origin check, rejecting cross‑origin connections. WebSocket handlers enforce same‑host origin check, rejecting cross‑origin connections. Source: llm_adapter@2026-05-29 Confidence: high	—
Bugfix	Medium	Catcher session IDs upgraded to 128‑bit crypto/rand values, eliminating predictability and collisions. Catcher session IDs upgraded to 128‑bit crypto/rand values, eliminating predictability and collisions. Source: llm_adapter@2026-05-29 Confidence: high	—
Bugfix	Medium	Default reply IP set in DNS server constructor, fixing race on concurrent requests. Default reply IP set in DNS server constructor, fixing race on concurrent requests. Source: llm_adapter@2026-05-29 Confidence: high	—
Bugfix	Medium	SFTP `Setstat` no longer applies chmod 000 when mode attribute is omitted. SFTP `Setstat` no longer applies chmod 000 when mode attribute is omitted. Source: llm_adapter@2026-05-29 Confidence: high	—
Bugfix	Medium	LDAP `readTLV()` now enforces a 1 MB size guard to avoid unbounded memory allocation on malformed packets. LDAP `readTLV()` now enforces a 1 MB size guard to avoid unbounded memory allocation on malformed packets. Source: llm_adapter@2026-05-29 Confidence: high	—
Bugfix	Medium	Clipboard store now uses sync.RWMutex to avoid race conditions on concurrent reads/writes. Clipboard store now uses sync.RWMutex to avoid race conditions on concurrent reads/writes. Source: llm_adapter@2026-05-29 Confidence: low	—
Bugfix	Medium	Auth cache replaced with time‑based expiry map, preventing unbounded memory growth. Auth cache replaced with time‑based expiry map, preventing unbounded memory growth. Source: llm_adapter@2026-05-29 Confidence: low	—
Bugfix	Medium	Context menu "Open" always opens target in a new browser tab instead of toggling preview/navigation based on file type. Context menu "Open" always opens target in a new browser tab instead of toggling preview/navigation based on file type. Source: granite4.1:30b@2026-05-29-audit Confidence: low	—
Bugfix	Low	Corrected internal chunkSize from 256 MB back to the intended 16 MB. Corrected internal chunkSize from 256 MB back to the intended 16 MB. Source: llm_adapter@2026-05-29 Confidence: high	—

Full changelog

What Changed in v2.1.0

Security fixes

GHSA-j48m-h7xq-2xpj — Fixed Share-link ?token=… redemption races past download limit
GHSA-3whc-qvhv-xqjp — Fixed WebDAV listener ignores --read-only, --upload-only, and --no-delete mode flags

Bug fixes

Context menu "Open" (#166) — The right-click "Open" action now always opens the target in a new browser tab instead of toggling between preview and navigation depending on file type
Clipboard data race — Added sync.RWMutex to the clipboard store; concurrent reads and writes no longer cause a race condition
Auth cache — Replaced the unbounded boolean auth cache with a time-based expiry map, preventing unbounded memory growth on repeated auth attempts
WebSocket origin check — Both the main WebSocket handler and the catcher WebSocket now enforce a same-host origin check, rejecting cross-origin connections
Catcher session IDs — Session IDs upgraded from 32-bit + timestamp to 128-bit crypto/rand, eliminating predictability and timestamp-based collisions
DNS server data race — Default reply IP is now set in the constructor rather than the handler, fixing a race on concurrent DNS requests
SFTP Setstat — chmod 000 no longer applied when a Setstat request omits the mode attribute
LDAP TLV read — Added a 1 MB size guard in readTLV() to prevent unbounded memory allocation on malformed LDAP packets
Chunk size constant — Corrected internal chunkSize from 256 MB to the intended 16 MB

Project

Repository moved to github.com/goshs-labs/goshs
Security contributor acknowledgement: @black-shadow-007

Dependencies

Bumped github/codeql-action to 4.36.0

Security Fixes

GHSA-j48m-h7xq-2xpj — Fixed Share‑link ?token=… redemption races past download limit
GHSA-3whc-qvhv-xqjp — Fixed WebDAV listener ignores --read-only, --upload-only, and --no-delete mode flags

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Goshs

Get notified when new releases ship.

About Goshs

All releases →

Related context

Related tools

Earlier breaking changes

v2.0.7 `--update` command is broken in this release.
v2.0.7 `--update` BROKEN! Update mechanism broken in v2.0.7.