bdu,nvd,anchore_overrides
Labstack
Vulnerabilities
4
Known exploited
0
Critical
2
High
0
Top products
Top vulnerabilities
CVE-2022-40083Labstack Echo v4.8.0 was discovered to contain an open redirect vulnerability via the Static Handler component. This vulnerability can be leveraged by attackers to cause a Server-Side Request Forgery (SSRF).
BDU:2023-08980Уязвимость компонента Static Handler веб-фреймворка для создания масштабируемых и высокопроизводительных веб-приложений Echo связана с переадресацией URL на ненадежный сайт. Эксплуатация уязвимости может повзолить нарушителю, действующему удаленно, осуществить SSRF-атаку
CVE-2026-25766Echo is a Go web framework. In versions 5.0.0 through 5.0.2 on Windows, Echo’s `middleware.Static` using the default filesystem allows path traversal via backslashes, enabling unauthenticated remote file read outside the static root. In `middleware/static.go`, the requested path is unescaped and normalized with `path.Clean` (URL semantics). `path.Clean` does not treat `\` as a path separator, so `..\` sequences remain in the cleaned path. The resulting path is then passed to `currentFS.Open(...)`. When the filesystem is left at the default (nil), Echo uses `defaultFS` which calls `os.Open` (`echo.go:792`). On Windows, `os.Open` treats `\` as a path separator and resolves `..\`, allowing traversal outside the static root. Version 5.0.3 fixes the issue.
CVE-2020-36565Due to improper sanitization of user input on Windows, the static file handler allows for directory traversal, allowing an attacker to read files outside of the target directory that the server has permission to read.