CVE-2025-46816

CRITICAL

goshs <1.0.5 - Command Injection

Title source: llm

Description

goshs is a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5, running goshs without arguments makes it possible for anyone to execute commands on the server. The function `dispatchReadPump` does not checks the option cli `-c`, thus allowing anyone to execute arbitrary command through the use of websockets. Version 1.0.5 fixes the issue.

Exploits (1)

nomisec WORKING POC 3 stars

by Guilhem7 · poc

https://github.com/Guilhem7/CVE-2025-46816

View Code ZIP pw:eip

References (2)

[Patch] https://github.com/patrickhener/goshs/commit/160220974576afe5111485b8d12fd36058984cfa

[Vendor Advisory] https://github.com/patrickhener/goshs/security/advisories/GHSA-rwj2-w85g-5cmm

Scores

CVSS v3 9.4

EPSS 0.0016

EPSS Percentile 36.3%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Details

CWE

CWE-284 CWE-77

Status published

Products (2)

patrickhener/goshs 0.3.4 - 1.0.5Go

patrickhener/goshs >= 0.3.4, < 1.0.5

Published May 06, 2025

Tracked Since Feb 18, 2026