Headline
GHSA-rwj2-w85g-5cmm: goshs route not protected, allows command execution
Summary
It seems that when running goshs without arguments it is possible for anyone to execute commands on the server. This was tested on version 1.0.4 of goshs. The command function was introduced in version 0.3.4.
Details
It seems that the function dispatchReadPump does not checks the option cli -c, thus allowing anyone to execute arbitrary command through the use of websockets.
PoC
Used websocat for the POC:
echo -e '{"type": "command", "content": "id"}' |./websocat 'ws://192.168.1.11:8000/?ws' -t
Impact
The vulnerability will only impacts goshs server on vulnerable versions.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-46816
goshs route not protected, allows command execution
Critical severity GitHub Reviewed Published May 6, 2025 in patrickhener/goshs • Updated May 6, 2025
Package
gomod github.com/patrickhener/goshs (Go)
Affected versions
>= 0.3.4, <= 1.0.4
Summary
It seems that when running goshs without arguments it is possible for anyone to execute commands on the server. This was tested on version 1.0.4 of goshs. The command function was introduced in version 0.3.4.
Details
It seems that the function dispatchReadPump does not checks the option cli -c, thus allowing anyone to execute arbitrary command through the use of websockets.
PoC
Used websocat for the POC:
echo -e ‘{"type": "command", "content": "id"}’ |./websocat ‘ws://192.168.1.11:8000/?ws’ -t
Impact
The vulnerability will only impacts goshs server on vulnerable versions.
References
- GHSA-rwj2-w85g-5cmm
- patrickhener/goshs@1602209
Published to the GitHub Advisory Database
May 6, 2025