CVE-2025-46816: CWE-284: Improper Access Control in patrickhener goshs
goshs is a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5, running goshs without arguments makes it possible for anyone to execute commands on the server. The function `dispatchReadPump` does not checks the option cli `-c`, thus allowing anyone to execute arbitrary command through the use of websockets. Version 1.0.5 fixes the issue.
AI Analysis
Technical Summary
CVE-2025-46816 is a critical vulnerability affecting the goshs SimpleHTTPServer written in Go, specifically versions from 0.3.4 up to but not including 1.0.5. The root cause lies in improper access control (CWE-284) combined with command injection (CWE-77) due to a failure in the dispatchReadPump function to validate the presence of the '-c' command-line interface option. When goshs is run without arguments, this flaw allows unauthenticated remote attackers to execute arbitrary commands on the server via WebSocket connections. The vulnerability is severe because it requires no authentication or user interaction and can be exploited remotely over the network (CVSS 9.4). The impact includes full compromise of confidentiality and integrity, with limited impact on availability. The vulnerability was publicly disclosed on May 6, 2025, and fixed in version 1.0.5. No known exploits are currently reported in the wild, but the ease of exploitation and critical severity make it a high-risk threat for any deployment of affected goshs versions.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially for those using goshs as a lightweight HTTP server in development, testing, or production environments. Successful exploitation could lead to complete system compromise, data theft, unauthorized access to sensitive information, and potential lateral movement within networks. Given goshs' simplicity and Go language base, it might be used in microservices or internal tooling, making it a vector for attackers to gain footholds. The lack of authentication requirement means any exposed goshs instance is vulnerable to remote attack. This could impact sectors with sensitive data such as finance, healthcare, and government agencies in Europe, potentially leading to regulatory non-compliance under GDPR due to data breaches. The vulnerability also risks undermining trust in software supply chains if goshs is embedded in other products or services.
Mitigation Recommendations
Immediate mitigation requires upgrading all goshs instances to version 1.0.5 or later, where the vulnerability is fixed. Organizations should audit their environments to identify any running goshs servers, especially those exposed to untrusted networks. If upgrading is not immediately feasible, restricting network access to goshs instances via firewall rules or VPNs can reduce exposure. Additionally, monitoring WebSocket traffic for unusual command execution attempts and implementing intrusion detection systems tailored to detect exploitation patterns can help. Developers should review usage of goshs in their infrastructure and consider replacing it with more secure HTTP server implementations if appropriate. Finally, enforcing strict access controls and network segmentation around goshs servers will limit potential damage from exploitation.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy
CVE-2025-46816: CWE-284: Improper Access Control in patrickhener goshs
Description
goshs is a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5, running goshs without arguments makes it possible for anyone to execute commands on the server. The function `dispatchReadPump` does not checks the option cli `-c`, thus allowing anyone to execute arbitrary command through the use of websockets. Version 1.0.5 fixes the issue.
AI-Powered Analysis
Technical Analysis
CVE-2025-46816 is a critical vulnerability affecting the goshs SimpleHTTPServer written in Go, specifically versions from 0.3.4 up to but not including 1.0.5. The root cause lies in improper access control (CWE-284) combined with command injection (CWE-77) due to a failure in the dispatchReadPump function to validate the presence of the '-c' command-line interface option. When goshs is run without arguments, this flaw allows unauthenticated remote attackers to execute arbitrary commands on the server via WebSocket connections. The vulnerability is severe because it requires no authentication or user interaction and can be exploited remotely over the network (CVSS 9.4). The impact includes full compromise of confidentiality and integrity, with limited impact on availability. The vulnerability was publicly disclosed on May 6, 2025, and fixed in version 1.0.5. No known exploits are currently reported in the wild, but the ease of exploitation and critical severity make it a high-risk threat for any deployment of affected goshs versions.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially for those using goshs as a lightweight HTTP server in development, testing, or production environments. Successful exploitation could lead to complete system compromise, data theft, unauthorized access to sensitive information, and potential lateral movement within networks. Given goshs' simplicity and Go language base, it might be used in microservices or internal tooling, making it a vector for attackers to gain footholds. The lack of authentication requirement means any exposed goshs instance is vulnerable to remote attack. This could impact sectors with sensitive data such as finance, healthcare, and government agencies in Europe, potentially leading to regulatory non-compliance under GDPR due to data breaches. The vulnerability also risks undermining trust in software supply chains if goshs is embedded in other products or services.
Mitigation Recommendations
Immediate mitigation requires upgrading all goshs instances to version 1.0.5 or later, where the vulnerability is fixed. Organizations should audit their environments to identify any running goshs servers, especially those exposed to untrusted networks. If upgrading is not immediately feasible, restricting network access to goshs instances via firewall rules or VPNs can reduce exposure. Additionally, monitoring WebSocket traffic for unusual command execution attempts and implementing intrusion detection systems tailored to detect exploitation patterns can help. Developers should review usage of goshs in their infrastructure and consider replacing it with more secure HTTP server implementations if appropriate. Finally, enforcing strict access controls and network segmentation around goshs servers will limit potential damage from exploitation.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-04-30T19:41:58.133Z
- Cisa Enriched
- true
- Cvss Version
- 3.0
- State
- PUBLISHED
Threat ID: 682d981bc4522896dcbd9f8d
Added to database: 5/21/2025, 9:08:43 AM
Last enriched: 7/5/2025, 4:54:32 PM
Last updated: 7/30/2025, 10:34:34 PM
Views: 15
Related Threats
CVE-2025-8661: Vulnerability in Broadcom Symantec PGP Encryption
MediumCVE-2025-8836: Reachable Assertion in JasPer
MediumCVE-2025-8747: CWE-502 Deserialization of Untrusted Data in Google Keras
HighCVE-2025-8660: Vulnerability in Broadcom Symantec PGP Encryption
MediumCVE-2025-8835: NULL Pointer Dereference in JasPer
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.