CVE-2025-46816

CRITICAL

goshs 0.3.4-1.0.4 - Unauthenticated Remote Code Execution via WebSocket Command Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-46816. PoCs published by Guilhem7.

AI-analyzed exploit summary This PoC exploits an unauthenticated code execution vulnerability in goshs versions < 1.0.5 via WebSocket command injection. It establishes a connection to a target WebSocket endpoint and allows arbitrary command execution through a JSON payload.

Description

goshs is a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5, running goshs without arguments makes it possible for anyone to execute commands on the server. The function `dispatchReadPump` does not checks the option cli `-c`, thus allowing anyone to execute arbitrary command through the use of websockets. Version 1.0.5 fixes the issue.

Exploits (1)

nomisec WORKING POC 3 stars
by Guilhem7 · poc
https://github.com/Guilhem7/CVE-2025-46816

This PoC exploits an unauthenticated code execution vulnerability in goshs versions < 1.0.5 via WebSocket command injection. It establishes a connection to a target WebSocket endpoint and allows arbitrary command execution through a JSON payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: goshs < 1.0.5
No auth needed
Prerequisites: Target WebSocket endpoint accessible · Network connectivity to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 9.4
EPSS 0.0016
EPSS Percentile 36.6%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-284 CWE-77
Status published
Products (2)
patrickhener/goshs 0.3.4 - 1.0.5Go
patrickhener/goshs >= 0.3.4, < 1.0.5
Published May 06, 2025
Tracked Since Feb 18, 2026