GHSA-MXG3-432P-MR72: GHSA-MXG3-432P-MR72: SSH Host Key Verification Disabled in goshs

1 / 2

GHSA-MXG3-432P-MR72: GHSA-MXG3-432P-MR72: SSH Host Key Verification Disabled in goshs

DEV Community·CVE Reports·17 days ago

#PB81H4nP

#security #cve #cybersecurity #ghsa #goshs #mxg3

Reading 0:00

15s threshold

GHSA-MXG3-432P-MR72: SSH Host Key Verification Disabled in goshs Vulnerability ID: GHSA-MXG3-432P-MR72 CVSS Score: 8.1 Published: 2026-05-15 A critical vulnerability in the Go-based file server goshs allows transparent Man-in-the-Middle (MITM) attacks during SSH tunnel establishment. By utilizing ssh.InsecureIgnoreHostKey() as the HostKeyCallback, versions prior to 2.0.7 fail to validate remote server identity. TL;DR goshs versions before 2.0.7 disable SSH host key verification when establishing remote tunnels. This flaw allows an attacker with a privileged network position to intercept the SSH connection and access the underlying unencrypted HTTP traffic.…

Continue reading — create a free account

Join HashtagPLUS to read full articles, follow hashtags, vote, and join the conversation.

Create free account Log in

Menu

GHSA-MXG3-432P-MR72: GHSA-MXG3-432P-MR72: SSH Host Key Verification Disabled in goshs