Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Remote unauthenticated request with an encoded slash needs no privileges or interaction (AV:N/AC:L/PR:N/UI:N); impact is unauthorized file reads only, so C:H but I:N/A:N.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Echo is a Go web framework. Prior to 4.15.3 and 5.2.0, Echo's router and static file handler disagree on URL path decoding. The router matches routes using the raw encoded path (preserving %2F as-is), while StaticDirectoryHandler unescapes %2F to / before resolving filesystem paths. This allows an attacker to bypass route-level access controls and read static files without authorization. This vulnerability is fixed in 4.15.3 and 5.2.0.
AnalysisAI
Path-based access control bypass in the LabStack Echo Go web framework (versions prior to 4.15.3 and 5.2.0) lets remote attackers retrieve protected static files without authorization. The flaw stems from the router matching routes on the raw encoded path (keeping %2F literal) while StaticDirectoryHandler decodes %2F to '/' before filesystem resolution, so a crafted URL slips past route-level guards. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target Echo application (1) serves files using StaticDirectoryHandler and (2) enforces access controls via route-level middleware on those static paths - this is the exact precondition implied by the advisory's router/handler decoding mismatch. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are moderate and internally consistent: the CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N yields 7.5 (High) with network reach, low complexity, no privileges and no user interaction, but impact is confined to confidentiality (C:H, I:N, A:N) - no integrity or availability loss. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An Echo application protects a directory of sensitive static files (e.g., /private/) with route middleware while serving them via StaticDirectoryHandler. An unauthenticated attacker requests a URL using %2F in place of the slash so the router's access-control route fails to match, but the static handler decodes it and returns the protected file. … |
| Remediation | Vendor-released patch: upgrade to Echo 4.15.3 on the 4.x branch or 5.2.0 on the 5.x branch, which align path decoding between the router and StaticDirectoryHandler; see the advisory at https://github.com/labstack/echo/security/advisories/GHSA-vfp3-v2gw-7wfq. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all applications using LabStack Echo framework (versions 4.x and 5.x) and identify those serving protected static files; consult application teams on deployment status and assets at risk. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Labstack Echo v4.8.0 was discovered to contain an open redirect vulnerability via the Static Handler component. Rated cr
Unauthenticated remote file read in Echo web framework versions 5.0.0-5.0.2 on Windows allows attackers to traverse outs
An issue was discovered in Veal98 Echo Open-Source Community System 2.2 thru 2.3 allowing an unauthenticated attacker to
The Echo extension for MediWiki does not properly implement the hideuser functionality, which allows remote authenticate
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39800