Command Execution Vulnerability in goshs by Patrick Hener
CVE-2025-46816

9.4CRITICAL

Key Information:

Vendor: Patrickhener
Status: Goshs
Vendor: CVE Published:; 6 May 2025

🔔 Create Patrickhener Vulnerability Alert

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-46816?

The goshs SimpleHTTPServer, written in Go, is vulnerable to a command execution flaw when running without arguments in versions 0.3.4 through 1.0.4. This vulnerability arises from the dispatchReadPump function not checking the command line option -c, allowing unauthorized users to execute arbitrary commands via websockets. The issue has been addressed and remedied in version 1.0.5.

Affected Version(s)

goshs >= 0.3.4, < 1.0.5

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-46816
Created by Guilhem7

References

https://github.com/patrickhener/goshs/security/advisories...

x_refsource_CONFIRM

https://github.com/patrickhener/goshs/commit/160220974576...

x_refsource_MISC

CVSS V3.0

Score:

9.4

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jun 5, 2025
👾
Exploit known to exist
Jun 5, 2025
Vulnerability published
May 6, 2025
Vulnerability Reserved
Apr 30, 2025