CVE-2025-46816

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-46816

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-46816.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-46816

Aliases

Published

2025-05-06T19:16:00Z

Modified

2025-05-17T14:25:44.085421Z

Summary

[none]

Details

goshs is a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5, running goshs without arguments makes it possible for anyone to execute commands on the server. The function dispatchReadPump does not checks the option cli -c, thus allowing anyone to execute arbitrary command through the use of websockets. Version 1.0.5 fixes the issue.

References

Affected packages

Git / github.com/patrickhener/goshs

Affected ranges

Type: GIT
Repo: https://github.com/patrickhener/goshs
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

160220974576afe5111485b8d12fd36058984cfa

Affected versions

v0.*

v0.0.1

v0.0.2

v0.0.3

v0.0.4

v0.0.5

v0.0.6

v0.0.8

v0.0.9

v0.1.0

v0.1.1

v0.1.2

v0.1.3

v0.1.4

v0.1.5

v0.1.6

v0.1.7

v0.1.8

v0.1.9

v0.2.0

v0.3.0

v0.3.1

v0.3.2

v0.3.3

v0.3.4

v0.3.5

v0.3.6

v0.3.7

v0.3.8

v0.3.9

v0.4.0

v0.4.1

v0.4.2

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.0.3

v1.0.4