CVE-2025-46816
📋 TL;DR
CVE-2025-46816 is a critical command injection vulnerability in goshs (SimpleHTTPServer written in Go) that allows unauthenticated remote attackers to execute arbitrary commands on the server via websockets. The vulnerability affects all deployments running goshs versions 0.3.4 through 1.0.4 without proper command-line arguments. This impacts anyone using goshs as a web server without applying the security fix.
💻 Affected Systems
- goshs (SimpleHTTPServer written in Go)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise allowing attacker to execute arbitrary commands with server privileges, install malware, exfiltrate data, or pivot to other systems.
Likely Case
Remote code execution leading to data theft, service disruption, or installation of backdoors on vulnerable servers.
If Mitigated
Limited impact if proper network segmentation and least privilege principles are implemented, though RCE would still be possible.
🎯 Exploit Status
The vulnerability is trivially exploitable via websocket connections without authentication. Public exploit code is available in the security advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.5
Vendor Advisory: https://github.com/patrickhener/goshs/security/advisories/GHSA-rwj2-w85g-5cmm
Restart Required: Yes
Instructions:
1. Stop all goshs instances. 2. Update to version 1.0.5 or later using 'go get github.com/patrickhener/goshs@v1.0.5' or download from releases. 3. Recompile if using source. 4. Restart goshs services with updated binary.
🔧 Temporary Workarounds
Run with command execution disabled
allAlways run goshs with the '-c' flag to disable command execution via websockets
goshs -c
Network isolation
linuxRestrict network access to goshs instances using firewall rules
iptables -A INPUT -p tcp --dport 8080 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP
🧯 If You Can't Patch
- Immediately stop using goshs and migrate to a different web server
- Implement strict network segmentation and firewall rules to limit access to goshs instances
🔍 How to Verify
Check if Vulnerable:
Check goshs version with 'goshs --version' or examine binary metadata. If version is between 0.3.4 and 1.0.4 inclusive, the system is vulnerable.Check Version:
goshs --versionVerify Fix Applied:
After patching, verify version is 1.0.5 or later with 'goshs --version'. Test websocket command execution attempts should fail.📡 Detection & Monitoring
Log Indicators:
- Websocket connection attempts followed by command execution patterns
- Unusual process spawns from goshs
- Failed command execution attempts in logs
Network Indicators:
- Websocket traffic to goshs ports with command-like payloads
- Unusual outbound connections from goshs server
SIEM Query:
source="goshs.log" AND (websocket OR command OR exec OR system)