goshs route not protected, allows command execution

GHSA-rwj2-w85g-5cmm · CVE-2025-46816 · GO-2025-3672

Published May 6, 2025 · Modified May 15, 2025

Description

Summary

It seems that when running goshs without arguments it is possible for anyone to execute commands on the server. This was tested on version 1.0.4 of goshs. The command function was introduced in version 0.3.4.

Details

It seems that the function dispatchReadPump does not checks the option cli -c, thus allowing anyone to execute arbitrary command through the use of websockets.

PoC

Used websocat for the POC:

echo -e '{"type": "command", "content": "id"}' |./websocat 'ws://192.168.1.11:8000/?ws' -t

Impact

The vulnerability will only impacts goshs server on vulnerable versions.

References

WEB https://github.com/patrickhener/goshs/security/advisories/GHSA-rwj2-w85g-5cmm
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-46816
WEB https://github.com/patrickhener/goshs/commit/160220974576afe5111485b8d12fd36058984cfa
PACKAGE https://github.com/patrickhener/goshs

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes