Описание
Echo is a Go web framework. In versions 5.0.0 through 5.0.2 on Windows, Echo’s middleware.Static using the default filesystem allows path traversal via backslashes, enabling unauthenticated remote file read outside the static root. In middleware/static.go, the requested path is unescaped and normalized with path.Clean (URL semantics). path.Clean does not treat \ as a path separator, so ..\ sequences remain in the cleaned path. The resulting path is then passed to currentFS.Open(...). When the filesystem is left at the default (nil), Echo uses defaultFS which calls os.Open (echo.go:792). On Windows, os.Open treats \ as a path separator and resolves ..\, allowing traversal outside the static root. Version 5.0.3 fixes the issue.
Ссылки
- Patch
- Issue TrackingPatch
- ExploitVendor Advisory
Уязвимые конфигурации
Одновременно
EPSS
5.3 Medium
CVSS3
Дефекты
Связанные уязвимости
Echo is a Go web framework. In versions 5.0.0 through 5.0.2 on Windows, Echo’s `middleware.Static` using the default filesystem allows path traversal via backslashes, enabling unauthenticated remote file read outside the static root. In `middleware/static.go`, the requested path is unescaped and normalized with `path.Clean` (URL semantics). `path.Clean` does not treat `\` as a path separator, so `..\` sequences remain in the cleaned path. The resulting path is then passed to `currentFS.Open(...)`. When the filesystem is left at the default (nil), Echo uses `defaultFS` which calls `os.Open` (`echo.go:792`). On Windows, `os.Open` treats `\` as a path separator and resolves `..\`, allowing traversal outside the static root. Version 5.0.3 fixes the issue.
Echo is a Go web framework. In versions 5.0.0 through 5.0.2 on Windows ...
Echo has a Windows path traversal via backslash in middleware.Static default filesystem
EPSS
5.3 Medium
CVSS3