CVE-2025-46816

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-46816

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-46816.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-46816

Aliases

Downstream

openSUSE-SU-2025:15135-1

Related

openSUSE-SU-2025:15135-1

Published

2025-05-06T18:41:58Z

Modified

2025-10-22T18:46:12.544300Z

Severity

9.4 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L CVSS Calculator

Summary

goshs route not protected, allows command execution

Details

goshs is a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5, running goshs without arguments makes it possible for anyone to execute commands on the server. The function dispatchReadPump does not checks the option cli -c, thus allowing anyone to execute arbitrary command through the use of websockets. Version 1.0.5 fixes the issue.

Database specific

{
    "cwe_ids": [
        "CWE-284",
        "CWE-77"
    ]
}

References

Affected packages

Git / github.com/patrickhener/goshs

Affected ranges

Type: GIT
Repo: https://github.com/patrickhener/goshs
Events: Introduced

188589596594765ad4b22d2709fc5ca848c6a56a

Fixed

1eb190b81f7a7d8bbb94387c3d192a0dfa420e87

Affected versions

v0.*

v0.3.4

v0.3.5

v0.3.6

v0.3.7

v0.3.8

v0.3.9

v0.4.0

v0.4.1

v0.4.2

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.0.3

v1.0.4