CVE-2025-46816

Summary

goshs is a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5, running goshs without arguments makes it possible for anyone to execute commands on the server. The function dispatchReadPump does not checks the option cli -c, thus allowing anyone to execute arbitrary command through the use of websockets. Version 1.0.5 fixes the issue.

Affected Software

VendorProductVersion RangeStatus
patrickhenergoshs>= 0.3.4, < 1.0.5affected

Weaknesses

  • CWE-284: CWE-284: Improper Access Control
  • CWE-77: CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: total

References