CVE-2025-46816

Published May 6th, 2025

View on NVD ↗

CVSS v3

N/A

CVSS v2

N/A

Affected

PROJECT

Description

goshs is a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5, running goshs without arguments makes it possible for anyone to execute commands on the server. The function `dispatchReadPump` does not checks the option cli `-c`, thus allowing anyone to execute arbitrary command through the use of websockets. Version 1.0.5 fixes the issue.

goshs-labs/goshs

Feature-rich single-binary file server for red teamers and developers. HTTP/S · WebDAV · FTP/SFTP · SMB · LDAP/S · NTLM hash capture · DNS/SMTP callbacks · TLS · Auth · Share links. A powerful python3 -m http.server replacement.

GitHub

878