{"uuid": "88556562-a36c-4a53-a7df-a3f534993c30", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-RGJ7-VG8V-J4WR", "type": "seen", "source": "https://gist.github.com/alon710/94f8b23cf2128584de5548f78104fff1", "content": "# GHSA-RGJ7-VG8V-J4WR: GHSA-RGJ7-VG8V-J4WR: Unauthenticated Engagement Metric Inflation in Ech0\n\n> **CVSS Score:** 5.3\n> **Published:** 2026-05-07\n> **Full Report:** https://cvereports.com/reports/GHSA-RGJ7-VG8V-J4WR\n\n## Summary\nThe Ech0 lightweight publishing platform suffers from a missing authentication check (CWE-306) and missing authorization (CWE-862) on the `PUT /api/echo/like/:id` API endpoint. This vulnerability allows an unauthenticated remote attacker to arbitrarily inflate engagement metrics by repeatedly sending requests, falsifying social proof and generating unnecessary database writes.\n\n## TL;DR\nA critical API endpoint in the Ech0 publishing platform was exposed publicly without authentication or user-binding checks. Remote attackers can leverage this to artificially inflate the \"like\" count of any post via repeated HTTP requests.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-306 / CWE-862\n- **Attack Vector**: Network\n- **CVSS Base Score**: 5.3 (Medium)\n- **Impact**: Integrity Loss (Engagement Manipulation)\n- **Exploit Status**: Proof of Concept Available\n- **Authentication**: None Required\n\n## Affected Systems\n\n- github.com/lin-snow/ech0 implementations prior to version 1.4.8-0.20260503040728-a7e8b8e84bd1\n- **github.com/lin-snow/ech0**: < 1.4.8-0.20260503040728-a7e8b8e84bd1 (Fixed in: `1.4.8-0.20260503040728-a7e8b8e84bd1`)\n\n## Mitigation\n\n- Migrate the target endpoint to an authenticated routing group.\n- Implement stateful tracking of engagement metrics linking specific user IDs to specific resources.\n- Apply strict IP-based rate limiting on state-changing API endpoints.\n- Implement CORS policies to restrict cross-origin exploitation vectors.\n\n**Remediation Steps:**\n1. Update the Ech0 application to version 1.4.8-0.20260503040728-a7e8b8e84bd1 or later.\n2. Verify that the `PUT /api/echo/like/:id` endpoint returns an HTTP 401 Unauthorized status when accessed without credentials.\n3. Review custom routing logic in internal forks to ensure no administrative or state-changing routes reside in the `PublicRouterGroup`.\n\n## References\n\n- [GitHub Advisory: GHSA-rgj7-vg8v-j4wr](https://github.com/advisories/GHSA-rgj7-vg8v-j4wr)\n- [OSV Entry: GHSA-rgj7-vg8v-j4wr](https://osv.dev/vulnerability/GHSA-rgj7-vg8v-j4wr)\n- [Fix Commit: a7e8b8e84bd1e3db090dfb720f2c6c433356b442](https://github.com/lin-snow/Ech0/commit/a7e8b8e84bd1e3db090dfb720f2c6c433356b442)\n- [Ech0 Project Repository](https://github.com/lin-snow/Ech0)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-RGJ7-VG8V-J4WR) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-08T15:40:29.000000Z"}