CVE-2025-46816 CRITICAL

CVE-2025-46816: goshs route not protected, allows command execution

Vendor Patrickhener
Product goshs
Weakness CWE-284
Published May 6, 2025
Last update May 6, 2025

CVSS base score

9.4/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

What the vulnerability does

01Description

goshs is a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5, running goshs without arguments makes it possible for anyone to execute commands on the server. The function `dispatchReadPump` does not checks the option cli `-c`, thus allowing anyone to execute arbitrary command through the use of websockets. Version 1.0.5 fixes the issue.

Key dates

02Disclosure timeline

May 6, 2025 CVE published
May 6, 2025 Record updated