CVE-2026-25766 (GCVE-0-2026-25766)
Vulnerability from cvelistv5 – Published: 2026-02-19 15:49 – Updated: 2026-02-19 19:46
VLAI?
Title
Echo has a Windows path traversal via backslash in middleware.Static default filesystem
Summary
Echo is a Go web framework. In versions 5.0.0 through 5.0.2 on Windows, Echo’s `middleware.Static` using the default filesystem allows path traversal via backslashes, enabling unauthenticated remote file read outside the static root. In `middleware/static.go`, the requested path is unescaped and normalized with `path.Clean` (URL semantics). `path.Clean` does not treat `\` as a path separator, so `..\` sequences remain in the cleaned path. The resulting path is then passed to `currentFS.Open(...)`. When the filesystem is left at the default (nil), Echo uses `defaultFS` which calls `os.Open` (`echo.go:792`). On Windows, `os.Open` treats `\` as a path separator and resolves `..\`, allowing traversal outside the static root. Version 5.0.3 fixes the issue.
Severity ?
5.3 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25766",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-19T19:45:33.220477Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T19:46:01.829Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "echo",
"vendor": "labstack",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.0.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Echo is a Go web framework. In versions 5.0.0 through 5.0.2 on Windows, Echo\u2019s `middleware.Static` using the default filesystem allows path traversal via backslashes, enabling unauthenticated remote file read outside the static root. In `middleware/static.go`, the requested path is unescaped and normalized with `path.Clean` (URL semantics). `path.Clean` does not treat `\\` as a path separator, so `..\\` sequences remain in the cleaned path. The resulting path is then passed to `currentFS.Open(...)`. When the filesystem is left at the default (nil), Echo uses `defaultFS` which calls `os.Open` (`echo.go:792`). On Windows, `os.Open` treats `\\` as a path separator and resolves `..\\`, allowing traversal outside the static root. Version 5.0.3 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T15:49:02.402Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/labstack/echo/security/advisories/GHSA-pgvm-wxw2-hrv9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/labstack/echo/security/advisories/GHSA-pgvm-wxw2-hrv9"
},
{
"name": "https://github.com/labstack/echo/pull/2891",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/labstack/echo/pull/2891"
},
{
"name": "https://github.com/labstack/echo/commit/b1d443086ea27cf51345ec72a71e9b7e9d9ce5f1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/labstack/echo/commit/b1d443086ea27cf51345ec72a71e9b7e9d9ce5f1"
}
],
"source": {
"advisory": "GHSA-pgvm-wxw2-hrv9",
"discovery": "UNKNOWN"
},
"title": "Echo has a Windows path traversal via backslash in middleware.Static default filesystem"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25766",
"datePublished": "2026-02-19T15:49:02.402Z",
"dateReserved": "2026-02-05T18:35:52.358Z",
"dateUpdated": "2026-02-19T19:46:01.829Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-25766\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-19T16:27:15.497\",\"lastModified\":\"2026-02-20T13:49:47.623\",\"vulnStatus\":\"Undergoing Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Echo is a Go web framework. In versions 5.0.0 through 5.0.2 on Windows, Echo\u2019s `middleware.Static` using the default filesystem allows path traversal via backslashes, enabling unauthenticated remote file read outside the static root. In `middleware/static.go`, the requested path is unescaped and normalized with `path.Clean` (URL semantics). `path.Clean` does not treat `\\\\` as a path separator, so `..\\\\` sequences remain in the cleaned path. The resulting path is then passed to `currentFS.Open(...)`. When the filesystem is left at the default (nil), Echo uses `defaultFS` which calls `os.Open` (`echo.go:792`). On Windows, `os.Open` treats `\\\\` as a path separator and resolves `..\\\\`, allowing traversal outside the static root. Version 5.0.3 fixes the issue.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"references\":[{\"url\":\"https://github.com/labstack/echo/commit/b1d443086ea27cf51345ec72a71e9b7e9d9ce5f1\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/labstack/echo/pull/2891\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/labstack/echo/security/advisories/GHSA-pgvm-wxw2-hrv9\",\"source\":\"security-advisories@github.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-25766\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-19T19:45:33.220477Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-19T19:45:56.146Z\"}}], \"cna\": {\"title\": \"Echo has a Windows path traversal via backslash in middleware.Static default filesystem\", \"source\": {\"advisory\": \"GHSA-pgvm-wxw2-hrv9\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"labstack\", \"product\": \"echo\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 5.0.0, \u003c 5.0.3\"}]}], \"references\": [{\"url\": \"https://github.com/labstack/echo/security/advisories/GHSA-pgvm-wxw2-hrv9\", \"name\": \"https://github.com/labstack/echo/security/advisories/GHSA-pgvm-wxw2-hrv9\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/labstack/echo/pull/2891\", \"name\": \"https://github.com/labstack/echo/pull/2891\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/labstack/echo/commit/b1d443086ea27cf51345ec72a71e9b7e9d9ce5f1\", \"name\": \"https://github.com/labstack/echo/commit/b1d443086ea27cf51345ec72a71e9b7e9d9ce5f1\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Echo is a Go web framework. In versions 5.0.0 through 5.0.2 on Windows, Echo\\u2019s `middleware.Static` using the default filesystem allows path traversal via backslashes, enabling unauthenticated remote file read outside the static root. In `middleware/static.go`, the requested path is unescaped and normalized with `path.Clean` (URL semantics). `path.Clean` does not treat `\\\\` as a path separator, so `..\\\\` sequences remain in the cleaned path. The resulting path is then passed to `currentFS.Open(...)`. When the filesystem is left at the default (nil), Echo uses `defaultFS` which calls `os.Open` (`echo.go:792`). On Windows, `os.Open` treats `\\\\` as a path separator and resolves `..\\\\`, allowing traversal outside the static root. Version 5.0.3 fixes the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-19T15:49:02.402Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-25766\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-19T19:46:01.829Z\", \"dateReserved\": \"2026-02-05T18:35:52.358Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-19T15:49:02.402Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
GHSA-PGVM-WXW2-HRV9
Vulnerability from github – Published: 2026-02-17 18:53 – Updated: 2026-02-19 21:30
VLAI?
Summary
Echo has a Windows path traversal via backslash in middleware.Static default filesystem
Details
Summary
On Windows, Echo’s middleware.Static using the default filesystem allows path traversal via backslashes, enabling
unauthenticated remote file read outside the static root.
Details
In middleware/static.go, the requested path is unescaped and normalized with path.Clean (URL semantics).
path.Clean does not treat \ as a path separator, so ..\ sequences remain in the cleaned path. The resulting
path is then passed to currentFS.Open(...). When the filesystem is left at the default (nil), Echo uses defaultFS
which calls os.Open (echo.go:792). On Windows, os.Open treats \ as a path separator and resolves ..\,
allowing traversal outside the static root.
Relevant code:
- middleware/static.go (path unescape + path.Clean + currentFS.Open)
- echo.go defaultFS.Open → os.Open
This is the same class as CVE-2020-36565 (fixed in v4 by switching to OS-aware cleaning), but in v5 the path.Clean
+ defaultFS combination reintroduces the Windows backslash traversal.
PoC
Windows only.
Sample code (main.go): ```go package main
import ( "log" "net/http"
"github.com/labstack/echo/v5"
"github.com/labstack/echo/v5/middleware"
)
func main() { e := echo.New()
// Important: use middleware.Static with default filesystem (nil)
e.Use(middleware.Static("public"))
e.GET("/healthz", func(c *echo.Context) error {
return c.String(http.StatusOK, "ok")
})
addr := ":1323"
log.Printf("listening on %s", addr)
if err := e.Start(addr); err != nil && err != http.ErrServerClosed {
log.Fatal(err)
}
} ``` Static file:
public/index.html
(content can be any HTML)
Run: go run .
Verify:
curl http://localhost:1323/index.html curl --path-as-is "http://localhost:1323/..%5c..%5cWindows%5cSystem32%5cdrivers%5cetc%5chosts" Expected: 404
Screenshot:
### Impact
Path traversal leading to arbitrary file read outside the static root. Any unauthenticated remote user can
read local files that the Echo process has access to on Windows, if middleware.Static is used with the default
filesystem.
Severity ?
5.3 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/labstack/echo/v5"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.0.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-25766"
],
"database_specific": {
"cwe_ids": [
"CWE-22"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-17T18:53:58Z",
"nvd_published_at": "2026-02-19T16:27:15Z",
"severity": "MODERATE"
},
"details": "### Summary\nOn Windows, Echo\u2019s `middleware.Static` using the default filesystem allows path traversal via backslashes, enabling\nunauthenticated remote file read outside the static root.\n\n### Details \n\n In `middleware/static.go`, the requested path is unescaped and normalized with `path.Clean` (URL semantics).\n `path.Clean` does **not** treat `\\` as a path separator, so `..\\` sequences remain in the cleaned path. The resulting\n path is then passed to `currentFS.Open(...)`. When the filesystem is left at the default (nil), Echo uses `defaultFS`\n which calls `os.Open` (`echo.go:792`). On Windows, `os.Open` treats `\\` as a path separator and resolves `..\\`,\n allowing traversal outside the static root.\n\n Relevant code:\n - `middleware/static.go` (path unescape + `path.Clean` + `currentFS.Open`)\n - `echo.go` `defaultFS.Open` \u2192 `os.Open`\n\n This is the same class as CVE-2020-36565 (fixed in v4 by switching to OS-aware cleaning), but in v5 the `path.Clean`\n + defaultFS combination reintroduces the Windows backslash traversal.\n\n\n### PoC\n Windows only.\n\n **Sample code (main.go):**\n ```go\n package main\n\n import (\n \"log\"\n \"net/http\"\n\n \"github.com/labstack/echo/v5\"\n \"github.com/labstack/echo/v5/middleware\"\n )\n\n func main() {\n e := echo.New()\n\n // Important: use middleware.Static with default filesystem (nil)\n e.Use(middleware.Static(\"public\"))\n\n e.GET(\"/healthz\", func(c *echo.Context) error {\n return c.String(http.StatusOK, \"ok\")\n })\n\n addr := \":1323\"\n log.Printf(\"listening on %s\", addr)\n if err := e.Start(addr); err != nil \u0026\u0026 err != http.ErrServerClosed {\n log.Fatal(err)\n }\n }\n ```\n Static file:\n\n public/index.html\n\n (content can be any HTML)\n\n **Run:**\n go run .\n\n **Verify:**\n\n curl http://localhost:1323/index.html\n curl --path-as-is \"http://localhost:1323/..%5c..%5cWindows%5cSystem32%5cdrivers%5cetc%5chosts\"\n Expected: 404 \n\n **Screenshot:**\n\u003cimg width=\"884\" height=\"689\" alt=\"image\" src=\"https://github.com/user-attachments/assets/acb14d70-2a43-47c1-8927-2f3da491a853\" /\u003e\n\u003cimg width=\"1022\" height=\"162\" alt=\"image\" src=\"https://github.com/user-attachments/assets/f2b92aa2-541e-461d-81a2-8a5907d7a447\" /\u003e\n\n\n\n ### Impact\n Path traversal leading to arbitrary file read outside the static root. Any unauthenticated remote user can\n read local files that the Echo process has access to on Windows, if `middleware.Static` is used with the default\n filesystem.",
"id": "GHSA-pgvm-wxw2-hrv9",
"modified": "2026-02-19T21:30:02Z",
"published": "2026-02-17T18:53:58Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/labstack/echo/security/advisories/GHSA-pgvm-wxw2-hrv9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25766"
},
{
"type": "WEB",
"url": "https://github.com/labstack/echo/pull/2891"
},
{
"type": "WEB",
"url": "https://github.com/labstack/echo/commit/b1d443086ea27cf51345ec72a71e9b7e9d9ce5f1"
},
{
"type": "PACKAGE",
"url": "https://github.com/labstack/echo"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Echo has a Windows path traversal via backslash in middleware.Static default filesystem"
}
FKIE_CVE-2026-25766
Vulnerability from fkie_nvd - Published: 2026-02-19 16:27 - Updated: 2026-02-20 13:49
Severity ?
Summary
Echo is a Go web framework. In versions 5.0.0 through 5.0.2 on Windows, Echo’s `middleware.Static` using the default filesystem allows path traversal via backslashes, enabling unauthenticated remote file read outside the static root. In `middleware/static.go`, the requested path is unescaped and normalized with `path.Clean` (URL semantics). `path.Clean` does not treat `\` as a path separator, so `..\` sequences remain in the cleaned path. The resulting path is then passed to `currentFS.Open(...)`. When the filesystem is left at the default (nil), Echo uses `defaultFS` which calls `os.Open` (`echo.go:792`). On Windows, `os.Open` treats `\` as a path separator and resolves `..\`, allowing traversal outside the static root. Version 5.0.3 fixes the issue.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Echo is a Go web framework. In versions 5.0.0 through 5.0.2 on Windows, Echo\u2019s `middleware.Static` using the default filesystem allows path traversal via backslashes, enabling unauthenticated remote file read outside the static root. In `middleware/static.go`, the requested path is unescaped and normalized with `path.Clean` (URL semantics). `path.Clean` does not treat `\\` as a path separator, so `..\\` sequences remain in the cleaned path. The resulting path is then passed to `currentFS.Open(...)`. When the filesystem is left at the default (nil), Echo uses `defaultFS` which calls `os.Open` (`echo.go:792`). On Windows, `os.Open` treats `\\` as a path separator and resolves `..\\`, allowing traversal outside the static root. Version 5.0.3 fixes the issue."
}
],
"id": "CVE-2026-25766",
"lastModified": "2026-02-20T13:49:47.623",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-02-19T16:27:15.497",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/labstack/echo/commit/b1d443086ea27cf51345ec72a71e9b7e9d9ce5f1"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/labstack/echo/pull/2891"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/labstack/echo/security/advisories/GHSA-pgvm-wxw2-hrv9"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…