{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/goshs/v2--2.0.6/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["goshs/v2 \u003c= 2.0.6"],"_cs_severities":["high"],"_cs_tags":["mitm","ssh","insecure-configuration"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe goshs application, prior to version 2.0.7, is vulnerable to a man-in-the-middle (MITM) attack when using the \u003ccode\u003e--tunnel\u003c/code\u003e or \u003ccode\u003e-t\u003c/code\u003e flag. The application opens an outbound SSH connection to \u003ccode\u003elocalhost.run:22\u003c/code\u003e with host key verification disabled via \u003ccode\u003essh.InsecureIgnoreHostKey()\u003c/code\u003e. This insecure configuration allows an attacker positioned on the network path to intercept the TCP connection, present their own SSH host key, and proxy the connection. Because \u003ccode\u003elocalhost.run\u003c/code\u003e performs TLS termination, the attacker can read and rewrite all HTTP request and response content in plaintext. This vulnerability allows for the exfiltration of sensitive data and modification of served content.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user executes \u003ccode\u003egoshs --tunnel\u003c/code\u003e to create a tunnel.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003etunnel.Start()\u003c/code\u003e initiates an SSH connection to \u003ccode\u003elocalhost.run:22\u003c/code\u003e with \u003ccode\u003eInsecureIgnoreHostKey()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAn attacker, positioned on the network path, intercepts the TCP connection to \u003ccode\u003elocalhost.run:22\u003c/code\u003e and responds with a malicious SSH server.\u003c/li\u003e\n\u003cli\u003eThe malicious SSH server presents a fake SSH host key, which the goshs client accepts due to the disabled host key verification.\u003c/li\u003e\n\u003cli\u003eThe attacker proxies the SSH session onward to the real \u003ccode\u003elocalhost.run:22\u003c/code\u003e to retrieve the public URL.\u003c/li\u003e\n\u003cli\u003eAll subsequent HTTP requests to the public URL are routed through the attacker\u0026rsquo;s proxy.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts all HTTP requests and responses, reading sensitive data such as URLs, headers, authentication credentials, and file contents.\u003c/li\u003e\n\u003cli\u003eThe attacker can modify HTTP responses, inject malicious content, or redirect requests.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability can lead to significant data breaches and compromise of system integrity. All HTTP request and response content, including sensitive information such as URLs, headers, basic authentication credentials, file contents, and share-link tokens, can be read by the attacker. Furthermore, attackers can modify responses in transit, replacing served files, injecting malicious scripts, or substituting binaries with backdoored versions. This poses a high risk to both the confidentiality and integrity of the data being transmitted through the goshs tunnel.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to goshs version 2.0.7 or later to benefit from the fix that replaces \u003ccode\u003essh.InsecureIgnoreHostKey()\u003c/code\u003e with a TOFU host key verification mechanism.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for connections to \u003ccode\u003elocalhost.run:22\u003c/code\u003e originating from goshs processes to detect potential MITM attempts, using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eRegularly inspect the \u003ccode\u003e~/.config/goshs/known_hosts\u003c/code\u003e file to ensure the host key for \u003ccode\u003elocalhost.run:22\u003c/code\u003e has not been tampered with (after upgrading).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-15T17:19:20Z","date_published":"2026-05-15T17:19:20Z","id":"https://feed.craftedsignal.io/briefs/2026-05-goshs-mitm/","summary":"The goshs application disables SSH host key verification when using the --tunnel flag, making it vulnerable to man-in-the-middle attacks that expose plaintext HTTP traffic.","title":"goshs SSH Tunnel Vulnerable to MITM via Insecure Host Key Handling","url":"https://feed.craftedsignal.io/briefs/2026-05-goshs-mitm/"}],"language":"en","title":"CraftedSignal Threat Feed — Goshs/V2 \u003c= 2.0.6","version":"https://jsonfeed.org/version/1.1"}