CVE-2025-46816 is a critical vulnerability affecting the goshs SimpleHTTPServer written in Go, specifically versions from 0.3.4 up to but not including 1.0.5. The root cause lies in improper access control (CWE-284) combined with command injection (CWE-77) due to a failure in the dispatchReadPump function to validate the presence of the '-c' command-line interface option. When goshs is run without arguments, this flaw allows unauthenticated remote attackers to execute arbitrary commands on the server via WebSocket connections. The vulnerability is severe because it requires no authentication or user interaction and can be exploited remotely over the network (CVSS 9.4). The impact includes full compromise of confidentiality and integrity, with limited impact on availability. The vulnerability was publicly disclosed on May 6, 2025, and fixed in version 1.0.5. No known exploits are currently reported in the wild, but the ease of exploitation and critical severity make it a high-risk threat for any deployment of affected goshs versions.

For European organizations, this vulnerability poses a significant risk especially for those using goshs as a lightweight HTTP server in development, testing, or production environments. Successful exploitation could lead to complete system compromise, data theft, unauthorized access to sensitive information, and potential lateral movement within networks. Given goshs' simplicity and Go language base, it might be used in microservices or internal tooling, making it a vector for attackers to gain footholds. The lack of authentication requirement means any exposed goshs instance is vulnerable to remote attack. This could impact sectors with sensitive data such as finance, healthcare, and government agencies in Europe, potentially leading to regulatory non-compliance under GDPR due to data breaches. The vulnerability also risks undermining trust in software supply chains if goshs is embedded in other products or services.

Immediate mitigation requires upgrading all goshs instances to version 1.0.5 or later, where the vulnerability is fixed. Organizations should audit their environments to identify any running goshs servers, especially those exposed to untrusted networks. If upgrading is not immediately feasible, restricting network access to goshs instances via firewall rules or VPNs can reduce exposure. Additionally, monitoring WebSocket traffic for unusual command execution attempts and implementing intrusion detection systems tailored to detect exploitation patterns can help. Developers should review usage of goshs in their infrastructure and consider replacing it with more secure HTTP server implementations if appropriate. Finally, enforcing strict access controls and network segmentation around goshs servers will limit potential damage from exploitation.