Описание
Echo has a Windows path traversal via backslash in middleware.Static default filesystem
Summary
On Windows, Echo’s middleware.Static using the default filesystem allows path traversal via backslashes, enabling
unauthenticated remote file read outside the static root.
Details
In middleware/static.go, the requested path is unescaped and normalized with path.Clean (URL semantics).
path.Clean does not treat \ as a path separator, so ..\ sequences remain in the cleaned path. The resulting
path is then passed to currentFS.Open(...). When the filesystem is left at the default (nil), Echo uses defaultFS
which calls os.Open (echo.go:792). On Windows, os.Open treats \ as a path separator and resolves ..\,
allowing traversal outside the static root.
Relevant code:
middleware/static.go(path unescape +path.Clean+currentFS.Open)echo.godefaultFS.Open→os.Open
This is the same class as CVE-2020-36565 (fixed in v4 by switching to OS-aware cleaning), but in v5 the path.Clean
- defaultFS combination reintroduces the Windows backslash traversal.
PoC
Windows only.
Sample code (main.go):
Static file:
public/index.html
(content can be any HTML)
Run: go run .
Verify:
curl http://localhost:1323/index.html curl --path-as-is "http://localhost:1323/..%5c..%5cWindows%5cSystem32%5cdrivers%5cetc%5chosts" Expected: 404
Screenshot:
Impact
Path traversal leading to arbitrary file read outside the static root. Any unauthenticated remote user can
read local files that the Echo process has access to on Windows, if middleware.Static is used with the default
filesystem.
Пакеты
github.com/labstack/echo/v5
>= 5.0.0, < 5.0.3
5.0.3
Связанные уязвимости
Echo is a Go web framework. In versions 5.0.0 through 5.0.2 on Windows, Echo’s `middleware.Static` using the default filesystem allows path traversal via backslashes, enabling unauthenticated remote file read outside the static root. In `middleware/static.go`, the requested path is unescaped and normalized with `path.Clean` (URL semantics). `path.Clean` does not treat `\` as a path separator, so `..\` sequences remain in the cleaned path. The resulting path is then passed to `currentFS.Open(...)`. When the filesystem is left at the default (nil), Echo uses `defaultFS` which calls `os.Open` (`echo.go:792`). On Windows, `os.Open` treats `\` as a path separator and resolves `..\`, allowing traversal outside the static root. Version 5.0.3 fixes the issue.
Echo is a Go web framework. In versions 5.0.0 through 5.0.2 on Windows, Echo’s `middleware.Static` using the default filesystem allows path traversal via backslashes, enabling unauthenticated remote file read outside the static root. In `middleware/static.go`, the requested path is unescaped and normalized with `path.Clean` (URL semantics). `path.Clean` does not treat `\` as a path separator, so `..\` sequences remain in the cleaned path. The resulting path is then passed to `currentFS.Open(...)`. When the filesystem is left at the default (nil), Echo uses `defaultFS` which calls `os.Open` (`echo.go:792`). On Windows, `os.Open` treats `\` as a path separator and resolves `..\`, allowing traversal outside the static root. Version 5.0.3 fixes the issue.
Echo is a Go web framework. In versions 5.0.0 through 5.0.2 on Windows ...