CVE-2025-46816: 
vulnerability analysis and mitigation

goshs, a SimpleHTTPServer written in Go, contains a critical remote code execution vulnerability (CVE-2025-46816) discovered and disclosed on May 6, 2025. The vulnerability affects versions 0.3.4 through 1.0.4, allowing unauthenticated users to execute arbitrary commands on the server when running goshs without arguments (Wiz Report, NVD).

The vulnerability stems from the dispatchReadPump function not properly checking the command-line option -c, which enables unauthorized command execution through websockets. The vulnerability has been assigned a CVSS v3.0 base score of 9.4 (Critical) with the vector string CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L. The weakness has been categorized under CWE-284 (Improper Access Control) and CWE-77 (Command Injection) (GitHub Advisory, NVD).

The vulnerability allows remote attackers to execute arbitrary commands on affected goshs servers without authentication. This results in high impact on both confidentiality and integrity of the system, with a lower impact on availability (GitHub Advisory).

The vulnerability has been fixed in version 1.0.5 of goshs. Users are advised to upgrade to this version to mitigate the risk (NVD).