x/vulndb: potential Go vuln in github.com/labstack/echo/v5: GHSA-pgvm-wxw2-hrv9

Advisory [GHSA-pgvm-wxw2-hrv9](https://github.com/advisories/GHSA-pgvm-wxw2-hrv9) references a vulnerability in the following Go modules:

| Module |
| - |
| [github.com/labstack/echo](https://pkg.go.dev/github.com/labstack/echo) |
| [github.com/labstack/echo/v4](https://pkg.go.dev/github.com/labstack/echo/v4) |
| [github.com/labstack/echo/v5](https://pkg.go.dev/github.com/labstack/echo/v5) |

Description:
### Summary
On Windows, Echo’s `middleware.Static` using the default filesystem allows path traversal via backslashes, enabling
unauthenticated remote file read outside the static root.

### Details  

  In `middleware/static.go`, the requested path is unescaped and normalized with `path.Clean` (URL semantics).
  `path.Clean` does **not** treat `\` as a path separator, so `..\` sequences remain in the cleaned path. The resulting
  path is then passed to `currentFS.Open(...)`. When the filesystem is left at the default (nil), Echo uses `defaultFS`
  which calls `os.Open` (`echo.go:792`). On W...

References:
- ADVISORY: https://github.com/advisories/GHSA-pgvm-wxw2-hrv9
- ADVISORY: https://github.com/labstack/echo/security/advisories/GHSA-pgvm-wxw2-hrv9
- FIX: https://github.com/labstack/echo/commit/b1d443086ea27cf51345ec72a71e9b7e9d9ce5f1
- FIX: https://github.com/labstack/echo/pull/2891

Cross references:
- github.com/labstack/echo/v4 appears in 2 other report(s):
  - data/reports/GO-2021-0051.yaml    (https://github.com/golang/vulndb/issues/51)
  - data/reports/GO-2022-1031.yaml    (https://github.com/golang/vulndb/issues/1031)

See [doc/quickstart.md](https://github.com/golang/vulndb/blob/master/doc/quickstart.md) for instructions on how to triage this report.

```
id: GO-ID-PENDING
modules:
    - module: github.com/labstack/echo
      vulnerable_at: 3.3.10+incompatible
    - module: github.com/labstack/echo/v4
      vulnerable_at: 4.15.0
    - module: github.com/labstack/echo/v5
      versions:
        - introduced: 5.0.0
        - fixed: 5.0.3
      vulnerable_at: 5.0.2
summary: |-
    Echo has a Windows path traversal via backslash in middleware.Static default
    filesystem in github.com/labstack/echo
cves:
    - CVE-2026-25766
ghsas:
    - GHSA-pgvm-wxw2-hrv9
references:
    - advisory: https://github.com/advisories/GHSA-pgvm-wxw2-hrv9
    - advisory: https://github.com/labstack/echo/security/advisories/GHSA-pgvm-wxw2-hrv9
    - fix: https://github.com/labstack/echo/commit/b1d443086ea27cf51345ec72a71e9b7e9d9ce5f1
    - fix: https://github.com/labstack/echo/pull/2891
source:
    id: GHSA-pgvm-wxw2-hrv9
    created: 2026-02-17T19:01:57.146062898Z
review_status: UNREVIEWED

```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in github.com/labstack/echo/v5: GHSA-pgvm-wxw2-hrv9 #4502

Summary

Details

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

x/vulndb: potential Go vuln in github.com/labstack/echo/v5: GHSA-pgvm-wxw2-hrv9 #4502

Description

Summary

Details

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions