Platform
go
Component
github.com/lin-snow/ech0
Fixed in
4.2.9
1.4.8-0.20260401031029-4ca56fea5ba4
CVE-2026-35037 describes a Server-Side Request Forgery (SSRF) vulnerability within the ech0 web application, specifically affecting versions before 1.4.8-0.20260401031029-4ca56fea5ba4. This flaw allows attackers to manipulate the application into making HTTP requests to arbitrary URLs, potentially exposing internal resources. The vulnerability resides in the /api/website/title endpoint, which lacks proper validation of the website_url query parameter. A fix has been released.
The SSRF vulnerability in ech0 poses a significant risk because it allows attackers to bypass security controls and interact with internal systems. An attacker could leverage this to access sensitive data exposed on internal network services, such as databases or configuration files. Furthermore, the ability to target cloud metadata endpoints (e.g., 169.254.169.254) could reveal credentials or other sensitive information stored in cloud environments. The partial response data exfiltrated via the HTML <title> tag extraction makes it possible to gather information incrementally, potentially evading detection. This vulnerability shares similarities with other SSRF exploits where attackers use the server as a proxy to access resources it shouldn't.
CVE-2026-35037 was publicly disclosed on April 3, 2026. The vulnerability's severity is rated HIGH (CVSS 7.2). There is currently no indication of this vulnerability being actively exploited in the wild, nor is it listed on the CISA KEV catalog. Public proof-of-concept (POC) code is not yet available, but the vulnerability's nature makes it likely that a POC will be developed and shared in the near future.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-35037 is to immediately upgrade to version 1.4.8-0.20260401031029-4ca56fea5ba4 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) or reverse proxy to filter incoming requests and block those containing suspicious URLs in the websiteurl parameter. Specifically, block requests to internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and cloud metadata endpoints. Additionally, implement strict input validation on the websiteurl parameter to ensure it adheres to an expected format and only allows trusted domains. After upgrading, confirm the fix by attempting to access the /api/website/title endpoint with a known malicious URL and verifying that the request is blocked or handled securely.
Update Ech0 to version 4.2.8 or later to mitigate the SSRF vulnerability. This version implements proper target host validation in the /api/website/title endpoint, preventing unauthorized access to internal services and cloud metadata.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-35037 is a Server-Side Request Forgery (SSRF) vulnerability in ech0 versions before 1.4.8-0.20260401031029-4ca56fea5ba4, allowing attackers to make requests to arbitrary URLs.
You are affected if you are using ech0 version prior to 1.4.8-0.20260401031029-4ca56fea5ba4. Check your version and upgrade immediately.
Upgrade to version 1.4.8-0.20260401031029-4ca56fea5ba4 or later. Implement WAF rules to block suspicious URLs as a temporary workaround.
There is currently no evidence of active exploitation, but the vulnerability's nature makes it a potential target.
Refer to the ech0 project's official repository and release notes for the advisory and detailed information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.