Primary

Context

goshs WebSocket Command Execution Vulnerability

Vulnerability

A command execution vulnerability has been identified in goshs, a SimpleHTTPServer written in Go. This issue affects versions 0.3.4 through 1.0.4. When goshs is run without arguments, the 'dispatchReadPump' function fails to validate the presence of the '-c' option, allowing anyone to execute arbitrary commands on the server via WebSockets.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server where goshs is running.

Reproduction

The vulnerability can be reproduced by sending a WebSocket request to a goshs server instance running a vulnerable version without any command-line arguments. The 'dispatchReadPump' function will process the request and execute the command on the server.

Remediation

Users can upgrade to goshs version 1.0.5 or later to address this vulnerability.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

8.7

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

8.7

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

goshs WebSocket Command Execution Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating