Plataforma
go
Componente
github.com/lin-snow/ech0
Corregido en
4.2.9
1.4.8-0.20260401031029-4ca56fea5ba4
CVE-2026-35037 describes a Server-Side Request Forgery (SSRF) vulnerability within the ech0 web application, specifically affecting versions before 1.4.8-0.20260401031029-4ca56fea5ba4. This flaw allows attackers to manipulate the application into making HTTP requests to arbitrary URLs, potentially exposing internal resources. The vulnerability resides in the /api/website/title endpoint, which lacks proper validation of the website_url query parameter. A fix has been released.
The SSRF vulnerability in ech0 poses a significant risk because it allows attackers to bypass security controls and interact with internal systems. An attacker could leverage this to access sensitive data exposed on internal network services, such as databases or configuration files. Furthermore, the ability to target cloud metadata endpoints (e.g., 169.254.169.254) could reveal credentials or other sensitive information stored in cloud environments. The partial response data exfiltrated via the HTML <title> tag extraction makes it possible to gather information incrementally, potentially evading detection. This vulnerability shares similarities with other SSRF exploits where attackers use the server as a proxy to access resources it shouldn't.
CVE-2026-35037 was publicly disclosed on April 3, 2026. The vulnerability's severity is rated HIGH (CVSS 7.2). There is currently no indication of this vulnerability being actively exploited in the wild, nor is it listed on the CISA KEV catalog. Public proof-of-concept (POC) code is not yet available, but the vulnerability's nature makes it likely that a POC will be developed and shared in the near future.
Organizations deploying ech0 in environments with internal services or cloud infrastructure are at risk. Specifically, deployments that expose internal services via the internet or use cloud metadata endpoints for configuration are particularly vulnerable. Shared hosting environments where multiple users share the same ech0 instance are also at increased risk, as a compromised user could potentially exploit the vulnerability to access other users' data.
• linux / server: Use journalctl to filter for requests to the /api/website/title endpoint with unusual websiteurl parameters. Example: journalctl | grep '/api/website/title' | grep 'websiteurl='
• generic web: Use curl to test the /api/website/title endpoint with various URLs, including internal IP addresses and cloud metadata endpoints. Example: curl 'http://your-ech0-instance/api/website/title?website_url=http://169.254.169.254'
• generic web: Examine access and error logs for requests to /api/website/title with suspicious or unexpected URLs. Look for patterns indicating attempts to access internal resources.
disclosure
Estado del Exploit
EPSS
0.04% (12% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2026-35037 is to immediately upgrade to version 1.4.8-0.20260401031029-4ca56fea5ba4 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) or reverse proxy to filter incoming requests and block those containing suspicious URLs in the websiteurl parameter. Specifically, block requests to internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and cloud metadata endpoints. Additionally, implement strict input validation on the websiteurl parameter to ensure it adheres to an expected format and only allows trusted domains. After upgrading, confirm the fix by attempting to access the /api/website/title endpoint with a known malicious URL and verifying that the request is blocked or handled securely.
Actualice Ech0 a la versión 4.2.8 o posterior para mitigar la vulnerabilidad de SSRF. Esta versión implementa la validación adecuada del host objetivo en el endpoint /api/website/title, previniendo el acceso no autorizado a servicios internos y metadatos de la nube.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2026-35037 is a Server-Side Request Forgery (SSRF) vulnerability in ech0 versions before 1.4.8-0.20260401031029-4ca56fea5ba4, allowing attackers to make requests to arbitrary URLs.
You are affected if you are using ech0 version prior to 1.4.8-0.20260401031029-4ca56fea5ba4. Check your version and upgrade immediately.
Upgrade to version 1.4.8-0.20260401031029-4ca56fea5ba4 or later. Implement WAF rules to block suspicious URLs as a temporary workaround.
There is currently no evidence of active exploitation, but the vulnerability's nature makes it a potential target.
Refer to the ech0 project's official repository and release notes for the advisory and detailed information.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo go.mod y te decimos al instante si estás afectado.