CVE-2025-46816

Published: May 6, 2025Modified: May 7, 2025

9.4

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Exploitability: 3.9 / Impact: 5.5

Source: security-advisories@github.com (Secondary)

Description

goshs is a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5, running goshs without arguments makes it possible for anyone to execute commands on the server. The function `dispatchReadPump` does not checks the option cli `-c`, thus allowing anyone to execute arbitrary command through the use of websockets. Version 1.0.5 fixes the issue.

Related CWEs

CWE-284

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References (2)

https://github.com/patrickhener/goshs/commit/160220974576afe5111485b8d12fd36058984cfa

Source: security-advisories@github.com

https://github.com/patrickhener/goshs/security/advisories/GHSA-rwj2-w85g-5cmm

Source: security-advisories@github.com

Timeline

No history available yet.