GHSA-rwj2-w85g-5cmm
Suggest an improvement- Source
- https://github.com/advisories/GHSA-rwj2-w85g-5cmm
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-rwj2-w85g-5cmm/GHSA-rwj2-w85g-5cmm.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-rwj2-w85g-5cmm
- Aliases
- Published
- 2025-05-06T16:45:17Z
- Modified
- 2025-05-15T20:41:56.148303Z
- Severity
-
- 9.4 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L CVSS Calculator
- Summary
- goshs route not protected, allows command execution
- Details
-
Summary
It seems that when running goshs without arguments it is possible for anyone to execute commands on the server. This was tested on version 1.0.4 of goshs. The command function was introduced in version 0.3.4.
Details
It seems that the function
dispatchReadPumpdoes not checks the option cli-c, thus allowing anyone to execute arbitrary command through the use of websockets.PoC
Used websocat for the POC:
echo -e '{"type": "command", "content": "id"}' |./websocat 'ws://192.168.1.11:8000/?ws' -tImpact
The vulnerability will only impacts goshs server on vulnerable versions.
- Database specific
{ "nvd_published_at": "2025-05-06T19:16:00Z", "cwe_ids": [ "CWE-284", "CWE-77" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2025-05-06T16:45:17Z" }- References
Affected packages
Go / github.com/patrickhener/goshs
Package
- Name
- github.com/patrickhener/goshs
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/patrickhener/goshs