CVE-2025-46816 – github.com/patrickhener/goshs

Package

Manager: go
Name: github.com/patrickhener/goshs
Vulnerable Version: >=0.3.4 <1.0.5

Severity

Level: Critical

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00043 pctl0.12351

Details

goshs route not protected, allows command execution ### Summary It seems that when running **goshs** without arguments it is possible for anyone to execute commands on the server. This was tested on version **1.0.4** of **goshs**. The command function was introduced in version **0.3.4**. ### Details It seems that the function ```dispatchReadPump``` does not checks the option cli ```-c```, thus allowing anyone to execute arbitrary command through the use of websockets. ### PoC Used **websocat** for the POC: ```bash echo -e '{"type": "command", "content": "id"}' |./websocat 'ws://192.168.1.11:8000/?ws' -t ``` ### Impact The vulnerability will only impacts goshs server on vulnerable versions.

Metadata

Created: 2025-05-06T16:45:17Z
Modified: 2025-05-06T21:44:02Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-rwj2-w85g-5cmm/GHSA-rwj2-w85g-5cmm.json
CWE IDs: ["CWE-284", "CWE-77"]
Alternative ID: GHSA-rwj2-w85g-5cmm
Finding: F422
Auto approve: 1