CVE-2025-46816 — Vulnetix

Try Vulnetix Request Demo

CVE-2025-46816 PUBLISHED CVSS 9.399999618530273 CRITICAL

goshs is a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5, running goshs without arguments makes it possible for anyone to execute commands on the server. The function `dispatchReadPump` does not checks the option cli `-c`, thus allowing anyone to execute arbitrary command through the use of websockets. Version 1.0.5 fixes the issue.

EPSS 0.16% · 36.4th percentile

Risk Scores

CVSS v3.0

9.399999618530273

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

EPSS Score

0.16%

36.4th percentile

Affected Products

Vendor	Product	Versions
github.com	patrickhener/goshs	0.3.4, 0.3.4
patrickhener	goshs	>= 0.3.4, < 1.0.5, >= 0.3.4, < 1.0.5

Timeline

Jan 21, 1970 Security Advisory
May 6, 2025 CVE Published
May 6, 2025 Coalition ESS Score
May 6, 2025 PoC Published
May 6, 2025 PoC Published
May 7, 2025 EPSS Score
May 7, 2025 Coalition ESS Score
May 18, 2025 EPSS Score
May 29, 2025 EPSS Score
Jun 4, 2025 PoC Published
Jun 9, 2025 EPSS Score
Jun 20, 2025 EPSS Score

References

Open in Interactive Console →