Echo has a Windows path traversal via backslash in middleware.Static default filesystem
Description
Echo is a Go web framework. In versions 5.0.0 through 5.0.2 on Windows, Echo’s middleware.Static using the default filesystem allows path traversal via backslashes, enabling unauthenticated remote file read outside the static root. In middleware/static.go, the requested path is unescaped and normalized with path.Clean (URL semantics). path.Clean does not treat \ as a path separator, so ..\ sequences remain in the cleaned path. The resulting path is then passed to currentFS.Open(...). When the filesystem is left at the default (nil), Echo uses defaultFS which calls os.Open (echo.go:792). On Windows, os.Open treats \ as a path separator and resolves ..\, allowing traversal outside the static root. Version 5.0.3 fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/labstack/echo/v5Go | >= 5.0.0, < 5.0.3 | 5.0.3 |
Affected products
3- ghsa-coords2 versionspkg:golang/github.com/labstack/echo/v5pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
>= 5.0.0, < 5.0.3+ 1 more
- (no CPE)range: >= 5.0.0, < 5.0.3
- (no CPE)range: < 0.0.20260226T182644-150000.1.149.1
- labstack/echov5Range: >= 5.0.0, < 5.0.3
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-pgvm-wxw2-hrv9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25766ghsaADVISORY
- github.com/labstack/echo/commit/b1d443086ea27cf51345ec72a71e9b7e9d9ce5f1ghsax_refsource_MISCWEB
- github.com/labstack/echo/pull/2891ghsax_refsource_MISCWEB
- github.com/labstack/echo/security/advisories/GHSA-pgvm-wxw2-hrv9ghsax_refsource_CONFIRMWEB
- pkg.go.dev/vuln/GO-2026-4502ghsaWEB
News mentions
0No linked articles in our index yet.