GHSA-55f6-4pr5-c7m5: Kahi has privilege-drop and socket/log permission issues
Kahi versions up to and including v0.1.0-alpha.8 have three privilege and permission issues related to improper privilege dropping and socket permissions. These issues allow processes to run with higher privileges than intended and expose FastCGI unix sockets to unauthorized local users. The issues are fixed in version v0.1.0-alpha.9, which enforces fail-closed privilege handling and restricts socket permissions by default.
AI Analysis
Technical Summary
Kahi releases up to v0.1.0-alpha.8 have three security issues: (1) a high-severity flaw where per-process privilege drop was not applied, causing child processes to run with the supervisor's privileges (often root) instead of the configured lower-privilege user; (2) a medium-severity issue where supplementary groups were not reset during privilege drop, allowing inherited elevated group privileges; and (3) a medium-severity issue where FastCGI unix sockets were world-accessible by default unless an explicit restrictive socket_mode was set. These issues were identified in a full codebase security review and fixed in v0.1.0-alpha.9 by enforcing fail-closed privilege handling, resetting supplementary groups, and defaulting FastCGI socket permissions to 0700.
Potential Impact
Processes intended to run with reduced privileges may instead run with elevated privileges, increasing the risk of privilege escalation. Supplementary groups with elevated permissions remain active after privilege drop, potentially granting unintended access. FastCGI unix sockets being world-accessible by default allow any local user to connect, potentially exposing sensitive services or data.
Mitigation Recommendations
Upgrade to Kahi version v0.1.0-alpha.9, which fixes all identified privilege and permission issues by enforcing privilege drops or refusing to start, resetting supplementary groups, and setting restrictive default socket permissions. For versions <= v0.1.0-alpha.8, workarounds include running the supervisor as the intended unprivileged user instead of relying on per-process user configuration, explicitly setting restrictive socket_mode on FastCGI programs, and avoiding running the supervisor as root where possible.
GHSA-55f6-4pr5-c7m5: Kahi has privilege-drop and socket/log permission issues
Description
Kahi versions up to and including v0.1.0-alpha.8 have three privilege and permission issues related to improper privilege dropping and socket permissions. These issues allow processes to run with higher privileges than intended and expose FastCGI unix sockets to unauthorized local users. The issues are fixed in version v0.1.0-alpha.9, which enforces fail-closed privilege handling and restricts socket permissions by default.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Kahi releases up to v0.1.0-alpha.8 have three security issues: (1) a high-severity flaw where per-process privilege drop was not applied, causing child processes to run with the supervisor's privileges (often root) instead of the configured lower-privilege user; (2) a medium-severity issue where supplementary groups were not reset during privilege drop, allowing inherited elevated group privileges; and (3) a medium-severity issue where FastCGI unix sockets were world-accessible by default unless an explicit restrictive socket_mode was set. These issues were identified in a full codebase security review and fixed in v0.1.0-alpha.9 by enforcing fail-closed privilege handling, resetting supplementary groups, and defaulting FastCGI socket permissions to 0700.
Potential Impact
Processes intended to run with reduced privileges may instead run with elevated privileges, increasing the risk of privilege escalation. Supplementary groups with elevated permissions remain active after privilege drop, potentially granting unintended access. FastCGI unix sockets being world-accessible by default allow any local user to connect, potentially exposing sensitive services or data.
Mitigation Recommendations
Upgrade to Kahi version v0.1.0-alpha.9, which fixes all identified privilege and permission issues by enforcing privilege drops or refusing to start, resetting supplementary groups, and setting restrictive default socket permissions. For versions <= v0.1.0-alpha.8, workarounds include running the supervisor as the intended unprivileged user instead of relying on per-process user configuration, explicitly setting restrictive socket_mode on FastCGI programs, and avoiding running the supervisor as root where possible.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-55f6-4pr5-c7m5
- Osv Schema Version
- 1.4.0
- Aliases
- []
- Ecosystems
- ["Go"]
- Database Specific Severity
- HIGH
- Cvss Version
- null
Threat ID: 6a4452e927e9c797198e1aa0
Added to database: 06/30/2026, 23:36:09 UTC
Last enriched: 06/30/2026, 23:52:31 UTC
Last updated: 06/30/2026, 23:52:31 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.