Nixpkgs Security Tracker

Login with GitHub

Suggestion detail

Dismissed
Permalink CVE-2026-25766
5.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 1 month ago by @LeSuisse Activity log
  • Created automatic suggestion 1 month ago
  • @LeSuisse removed
    15 packages
    • echoip
    • client-ip-echo
    • vkdevicechooser
    • haskellPackages.echo
    • python312Packages.echo
    • python313Packages.echo
    • python314Packages.echo
    • vimPlugins.lspecho-nvim
    • python312Packages.llm-echo
    • python313Packages.llm-echo
    • python314Packages.llm-echo
    • python312Packages.pycolorecho
    • python313Packages.pycolorecho
    • python314Packages.pycolorecho
    • xdg-desktop-portal-termfilechooser
    1 month ago
  • @LeSuisse dismissed 1 month ago
Echo has a Windows path traversal via backslash in middleware.Static default filesystem

Echo is a Go web framework. In versions 5.0.0 through 5.0.2 on Windows, Echo’s `middleware.Static` using the default filesystem allows path traversal via backslashes, enabling unauthenticated remote file read outside the static root. In `middleware/static.go`, the requested path is unescaped and normalized with `path.Clean` (URL semantics). `path.Clean` does not treat `\` as a path separator, so `..\` sequences remain in the cleaned path. The resulting path is then passed to `currentFS.Open(...)`. When the filesystem is left at the default (nil), Echo uses `defaultFS` which calls `os.Open` (`echo.go:792`). On Windows, `os.Open` treats `\` as a path separator and resolves `..\`, allowing traversal outside the static root. Version 5.0.3 fixes the issue.

References

Affected products

echo
  • ==>= 5.0.0, < 5.0.3
Ignored packages (15) 
Not present in nixpkgs / Windows