CVE-2025-40876: gosh SFTP Root Directory Escape via Prefix Validation Flaw

SFTP Root Directory Escape Vulnerability Summary (CVE-2025-40876) Vulnerability Overview Vulnerability Name: SFTP root escape via prefix-based path validation in gosh CVE ID: CVE-2025-40876 CVSS Score: 8.7 / 10 (High) Affected Software: (Go) Affected Versions: Fixed Version: Detailed Description: This vulnerability stems from a flaw in prefix-based path validation logic. In , the function checks whether a path is within the configured SFTP root directory using . Since this is a simple string prefix comparison rather than a directory boundary check, an attacker can bypass restrictions by crafting a “sibling path”. For example, when the root directory is , the path will incorrectly pass validation because it starts with . This allows an authenticated SFTP user to escape the configured root directory and read, write, create, rename, or delete files outside of it. Impact Scope Confidentiality: High – Sensitive files outside the root directory can be read. Integrity: High – Files outside the root directory can be modified. Availability: High – Files outside the root directory can be deleted. Attack Vector: Network Attack Complexity: Low User Interaction: None Remediation 1. Replace Prefix Check: Replace the original prefix check with true directory boundary validation, e.g., require the path to be exactly equal to the root directory or have the root directory followed immediately by a path separator (such as ). 2. Enhance Path Sanitization: Implement strict path sanitization logic similar to HTTP in SFTP, ensuring all file serving modes share the same boundary logic. 3. Regression Testing: Add regression tests for sibling path cases (e.g., ) instead of only traditional traversal payloads (e.g., ). POC Code (Single-script verification)

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2025-40876: gosh SFTP Root Directory Escape via Prefix Validation Flaw

More from this source