CVE-2025-46816: goshs route not protected, allows command execution

9.4 CVSS

Description

goshs is a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5, running goshs without arguments makes it possible for anyone to execute commands on the server. The function `dispatchReadPump` does not checks the option cli `-c`, thus allowing anyone to execute arbitrary command through the use of websockets. Version 1.0.5 fixes the issue.

Classification

CVE ID: CVE-2025-46816

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.4

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Problem Types

CWE-284: Improper Access Control CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')

Affected Products

Vendor: patrickhener

Product: goshs

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.09% (probability of being exploited)

EPSS Percentile: 27.47% (scored less or equal to compared to others)

EPSS Date: 2025-06-04 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-46816
https://github.com/patrickhener/goshs/security/advisories/GHSA-rwj2-w85g-5cmm
https://github.com/patrickhener/goshs/commit/160220974576afe5111485b8d12fd36058984cfa

Timeline

2025-05-06 19:40:18 UTC
CVE

goshs route not protected, allows command execution