It seems that when running goshs without arguments it is possible for anyone to execute commands on the server. This was tested on version 1.0.4 of goshs. The command function was introduced in version 0.3.4.
It seems that the function dispatchReadPump
does not checks the option cli -c
, thus allowing anyone to execute arbitrary command through the use of websockets.
Used websocat for the POC:
echo -e '{"type": "command", "content": "id"}' |./websocat 'ws://192.168.1.11:8000/?ws' -t
The vulnerability will only impacts goshs server on vulnerable versions.
{ "nvd_published_at": "2025-05-06T19:16:00Z", "cwe_ids": [ "CWE-284", "CWE-77" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2025-05-06T16:45:17Z" }