CVE-2025-46816: goshs route not protected, allows command execution

May 6, 2025

It seems that when running goshs without arguments it is possible for anyone to execute commands on the server. This was tested on version 1.0.4 of goshs. The command function was introduced in version 0.3.4.

References

github.com/advisories/GHSA-rwj2-w85g-5cmm
github.com/patrickhener/goshs
github.com/patrickhener/goshs/commit/160220974576afe5111485b8d12fd36058984cfa
github.com/patrickhener/goshs/security/advisories/GHSA-rwj2-w85g-5cmm
nvd.nist.gov/vuln/detail/CVE-2025-46816

Code Behaviors & Features

Detect and mitigate CVE-2025-46816 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →