CVE-2025-46816

Source
https://nvd.nist.gov/vuln/detail/CVE-2025-46816
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-46816.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-46816
Aliases
Downstream
Related
Published
2025-05-06T18:41:58Z
Modified
2025-10-22T18:46:12.544300Z
Severity
  • 9.4 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L CVSS Calculator
Summary
goshs route not protected, allows command execution
Details

goshs is a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5, running goshs without arguments makes it possible for anyone to execute commands on the server. The function dispatchReadPump does not checks the option cli -c, thus allowing anyone to execute arbitrary command through the use of websockets. Version 1.0.5 fixes the issue.

Database specific
{
    "cwe_ids": [
        "CWE-284",
        "CWE-77"
    ]
}
References

Affected packages

Git / github.com/patrickhener/goshs

Affected ranges

Type
GIT
Repo
https://github.com/patrickhener/goshs
Events

Affected versions

v0.*

v0.3.4
v0.3.5
v0.3.6
v0.3.7
v0.3.8
v0.3.9
v0.4.0
v0.4.1
v0.4.2

v1.*

v1.0.0
v1.0.1
v1.0.2
v1.0.3
v1.0.4