9.4

CVSS Score

3.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-46816

CVE-2025-46816: goshs route not protected, allows command execution

Summary

It seems that when running goshs without arguments it is possible for anyone to execute commands on the server. This was tested on version 1.0.4 of goshs. The command function was introduced in version 0.3.4.

Details

It seems that the function dispatchReadPump does not checks the option cli -c, thus allowing anyone to execute arbitrary command through the use of websockets.

PoC

Used websocat for the POC:

echo -e '{"type": "command", "content": "id"}' |./websocat 'ws://192.168.1.11:8000/?ws' -t

Impact

The vulnerability will only impacts goshs server on vulnerable versions.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-46816

CVE-2025-46816:

9.4

CVSS Score

3.0

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/patrickhener/goshs	go	>= 0.3.4, <= 1.0.4	1.0.5

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description explicitly mentions the dispatchReadPump function as the source of the issue, stating it doesn't check the CLI option -c. The provided commit 160220974576afe5111485b8d12fd36058984cfa modifies this function in ws/client.go. The diff shows that the code responsible for unmarshaling and executing the command, previously unconditional, is now wrapped in an if c.hub.cliEnabled block. This confirms that dispatchReadPump was the function that improperly handled command execution. The changes in httpserver/server.go (passing fs.CLI to NewHub) and ws/hub.go (adding cliEnabled to the Hub struct and NewHub constructor) are part of the fix to correctly propagate the command-line interface setting to the websocket handler, enabling the check in dispatchReadPump. Therefore, ws.Client.dispatchReadPump is the function that directly processes the potentially malicious input and executes commands, making it the vulnerable function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

9.4

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-46816: goshs route not protected, allows command execution

Summary

Details

PoC

Impact

CVE-2025-46816:

9.4

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

9.4

9.4

CVE-2025-46816: goshs route not protected, allows command execution

Summary

Details

PoC

Impact

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI