CVE-2025-46816

Published May 6, 2025

Last updated 2 months ago

CVSS critical 9.4

Overview

Description
goshs is a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5, running goshs without arguments makes it possible for anyone to execute commands on the server. The function `dispatchReadPump` does not checks the option cli `-c`, thus allowing anyone to execute arbitrary command through the use of websockets. Version 1.0.5 fixes the issue.
Source
security-advisories@github.com
NVD status
Awaiting Analysis

Risk scores

CVSS 3.0

Type
Secondary
Base score
9.4
Impact score
5.5
Exploitability score
3.9
Vector string
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Severity
CRITICAL

Weaknesses

security-advisories@github.com
CWE-77

Social media

Hype score
Not currently trending

  1. 🚨 CVE-2025-46816 ⚠️🔴 CRITICAL (9.4) 🏢 patrickhener - goshs 🏗️ >= 0.3.4, < 1.0.5 🔗 https://t.co/7N5vk5VrGU 🔗 https://t.co/S1cv3yQY9l #CyberCron #VulnAlert #InfoSec https://t.co/yQyNT7V8m3

    @cybercronai

    7 May 2025

    19 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References

Sources include official advisories and independent security research.