CVE-2025-46816
9.4
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Summary
goshs is a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5, running goshs without arguments makes it possible for anyone to execute commands on the server. The function dispatchReadPump does not checks the option cli -c, thus allowing anyone to execute arbitrary command through the use of websockets. Version 1.0.5 fixes the issue.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| patrickhener | goshs | >= 0.3.4, < 1.0.5 | affected |
Weaknesses
- CWE-284: CWE-284: Improper Access Control
- CWE-77: CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: total
References
- https://github.com/patrickhener/goshs/security/advisories/GHSA-rwj2-w85g-5cmm
- https://github.com/patrickhener/goshs/commit/160220974576afe5111485b8d12fd36058984cfa
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.