GHSA-rwj2-w85g-5cmm

Опубликовано: 06 мая 2025

Источник: github

Github: Прошло ревью

CVSS3: 9.4

Описание

goshs route not protected, allows command execution

Summary

It seems that when running goshs without arguments it is possible for anyone to execute commands on the server. This was tested on version 1.0.4 of goshs. The command function was introduced in version 0.3.4.

Details

It seems that the function dispatchReadPump does not checks the option cli -c, thus allowing anyone to execute arbitrary command through the use of websockets.

PoC

Used websocat for the POC:

echo -e '{"type": "command", "content": "id"}' |./websocat 'ws://192.168.1.11:8000/?ws' -t

Impact

The vulnerability will only impacts goshs server on vulnerable versions.

Ссылки

Пакеты

Наименование

github.com/patrickhener/goshs

Затронутые версииВерсия исправления

>= 0.3.4, <= 1.0.4

1.0.5

EPSS

Процентиль: 11%

0.00037

Низкий

9.4 Critical

CVSS3

CVE ID

CVE-2025-46816

Дефекты

CWE-284

CWE-77

Связанные уязвимости

CVE-2025-46816

CVSS3: 9.4

nvd

9 месяцев назад

goshs is a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5, running goshs without arguments makes it possible for anyone to execute commands on the server. The function `dispatchReadPump` does not checks the option cli `-c`, thus allowing anyone to execute arbitrary command through the use of websockets. Version 1.0.5 fixes the issue.

EPSS

Процентиль: 11%

0.00037

Низкий

9.4 Critical

CVSS3

CVE ID

CVE-2025-46816

Дефекты

CWE-284

CWE-77