CVE-2025-46816 Information

Description

goshs is a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5 running goshs without arguments makes it possible for anyone to execute commands on the server. The function dispatchReadPump does not checks the option cli -c thus allowing anyone to execute arbitrary command through the use of websockets. Version 1.0.5 fixes the issue.

Reference

https://github.com/patrickhener/goshs/commit/160220974576afe5111485b8d12fd36058984cfa https://github.com/patrickhener/goshs/security/advisories/GHSA-rwj2-w85g-5cmm