CVE-2025-46816 Overview
CVE-2025-46816 is a critical Command Injection vulnerability in goshs, a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5, running goshs without arguments makes it possible for anyone to execute commands on the server. The function dispatchReadPump does not check the option cli -c, thus allowing anyone to execute arbitrary commands through the use of websockets.
Critical Impact
Unauthenticated remote attackers can execute arbitrary commands on the server via websocket connections, potentially leading to full system compromise.
Affected Products
- goshs versions >= 0.3.4 and < 1.0.5
Discovery Timeline
- 2025-05-06 - CVE CVE-2025-46816 published to NVD
- 2025-05-07 - Last updated in NVD database
Technical Details for CVE-2025-46816
Vulnerability Analysis
This vulnerability exists in the websocket handling code of goshs. The core issue is that the dispatchReadPump function processes incoming websocket messages of type "command" without validating whether the CLI option (-c) was actually enabled by the server administrator. This architectural flaw means that even when goshs is started without the command-line interface flag, attackers can still send command execution requests through the websocket interface.
The vulnerability is classified as CWE-77 (Command Injection), which occurs when an application constructs all or part of a command using externally-influenced input without proper neutralization. In this case, commands submitted via websocket are directly executed through the cli.RunCMD() function regardless of the server's intended configuration.
Root Cause
The root cause is a missing authorization check in the websocket message handler. The Hub structure was initialized without awareness of the CLI configuration state, and the client message processing logic unconditionally executed commands received via the "command" packet type. The vulnerable code path allowed the cli.RunCMD(command) function to be called on any command string extracted from incoming websocket packets.
Attack Vector
The attack can be carried out remotely over the network without any authentication. An attacker simply needs to establish a websocket connection to a running goshs instance and send a properly formatted JSON packet with type "command" containing the arbitrary command to execute. Since no authentication or configuration checks are performed, the server will execute the command and return the output to the attacker.
// Vulnerable code in ws/client.go (before patch)
case "command":
var command string
if err := json.Unmarshal(packet.Content, &command); err != nil {
logger.Errorf("Error reading json packet: %+v", err)
}
logger.Debugf("Command was: %+v", command)
output, err := cli.RunCMD(command)
if err != nil {
logger.Errorf("Error running command: %+v", err)
}
logger.Debugf("Output: %+v", output)
c.updateCLI(output)
Source: GitHub Commit
Detection Methods for CVE-2025-46816
Indicators of Compromise
- Unexpected websocket connections to goshs instances from unknown IP addresses
- Log entries showing command execution via websocket when CLI mode was not enabled
- Unusual process spawning from the goshs process
- Network traffic containing websocket frames with "command" type packets
Detection Strategies
- Monitor websocket traffic to goshs servers for packets containing "command" type messages
- Implement network-level detection for websocket upgrade requests to unexpected endpoints
- Review goshs process logs for debug messages indicating command execution (Command was: and Output: patterns)
- Deploy endpoint detection to identify unexpected child processes spawned by goshs
Monitoring Recommendations
- Enable verbose logging on goshs instances to capture websocket activity
- Set up alerts for any websocket connections to production goshs deployments
- Monitor for reconnaissance activity targeting common goshs ports
- Implement network segmentation to restrict access to goshs instances
How to Mitigate CVE-2025-46816
Immediate Actions Required
- Upgrade goshs to version 1.0.5 or later immediately
- If upgrade is not immediately possible, stop all running goshs instances that do not require the CLI feature
- Review logs for any signs of exploitation before patching
- Restrict network access to goshs instances to trusted networks only
Patch Information
Version 1.0.5 fixes this issue by adding a proper check for the CLI option before processing command requests. The patch modifies the Hub initialization to include CLI configuration state and adds a conditional check (if c.hub.cliEnabled) before executing any commands received via websocket.
For detailed patch information, see the GitHub Security Advisory GHSA-rwj2-w85g-5cmm.
Workarounds
- Disable or block websocket connections at the network level if they are not required
- Place goshs behind a reverse proxy that filters websocket upgrade requests
- Use firewall rules to restrict access to goshs instances to trusted IP addresses only
- Run goshs in isolated network segments with no access to sensitive systems
// Patched code in ws/client.go - CLI check added
case "command":
if c.hub.cliEnabled {
var command string
if err := json.Unmarshal(packet.Content, &command); err != nil {
logger.Errorf("Error reading json packet: %+v", err)
}
logger.Debugf("Command was: %+v", command)
output, err := cli.RunCMD(command)
if err != nil {
logger.Errorf("Error running command: %+v", err)
}
logger.Debugf("Output: %+v", output)
c.updateCLI(output)
}
Source: GitHub Commit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
