GHSA-xjvp-7243-rg9h: Critical Path Traversal in Wish SCP Middleware Allows Arbitrary File Read/Write

Vulnerability ID: GHSA-XJVP-7243-RG9H
CVSS Score: 9.6
Published: 2026-04-18

A critical path traversal vulnerability in the SCP middleware of the Wish Go library (GHSA-xjvp-7243-rg9h) permits attackers to read and write arbitrary files outside the configured root directory. The flaw originates from insufficient path sanitization in the fileSystemHandler.prefixed() method, enabling severe impacts including remote code execution if critical system files are overwritten. Exploitation requires authentication unless the target server explicitly runs without authentication protocols.

TL;DR

A path traversal flaw in the Wish SCP middleware allows arbitrary file read and write operations outside the designated root directory via crafted SCP requests.

⚠️ Exploit Status: POC

Technical Details

• Advisory ID: GHSA-xjvp-7243-rg9h
• CVSS Score: 9.6
• Attack Vector: Network
• CWE ID: CWE-22
• Impact: Arbitrary File Read/Write
• Exploit Status: Proof-of-Concept Available

Affected Systems

• Custom SSH Servers built with charm.land/wish/v2 <= 2.0.0
• Custom SSH Servers built with github.com/charmbracelet/wish <= 1.4.7
• charm.land/wish/v2: <= 2.0.0 (Fixed in: 2.0.1)
• github.com/charmbracelet/wish: <= 1.4.7 (Fixed in: None)

Mitigation Strategies

• Dependency Upgrade
• Service Disablement
• Defense-in-Depth Isolation

Remediation Steps:

1. Update go.mod to use charm.land/wish/v2 v2.0.1 or higher.
2. Execute go mod tidy to download the patched dependencies.
3. Recompile the Go application.
4. Restart the custom SSH server service.

References

• GitHub Advisory: GHSA-xjvp-7243-rg9h
• OSV Record
• Project Repository

Read the full report for GHSA-XJVP-7243-RG9H on our website for more details including interactive diagrams and full exploit analysis.