Source: golang-github-labstack-echo
Version: 4.12.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for golang-github-labstack-echo.

CVE-2026-55677[0]:
| Echo is a Go web framework. Prior to 4.15.3 and 5.2.0, Echo's router
| and static file handler disagree on URL path decoding. The router
| matches routes using the raw encoded path (preserving %2F as-is),
| while StaticDirectoryHandler unescapes %2F to / before resolving
| filesystem paths. This allows an attacker to bypass route-level
| access controls and read static files without authorization. This
| vulnerability is fixed in 4.15.3 and 5.2.0.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-55677
    https://www.cve.org/CVERecord?id=CVE-2026-55677
[1] https://github.com/labstack/echo/security/advisories/GHSA-vfp3-v2gw-7wfq

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply via email to