DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-8MC6-XJPR-H98X: GHSA-8MC6-XJPR-H98X: Server-Side Request Forgery (SSRF) in Ech0 fetchPeerConnectInfo

#security #cve #cybersecurity #ghsa

GHSA-8MC6-XJPR-H98X: Server-Side Request Forgery (SSRF) in Ech0 fetchPeerConnectInfo

Vulnerability ID: GHSA-8MC6-XJPR-H98X
CVSS Score: 8.0
Published: 2026-05-07

The Ech0 application is vulnerable to Server-Side Request Forgery (SSRF) due to insufficient validation of user-provided URLs in the peer connection management functionality. Authenticated users with the ability to add connections can force the server to execute arbitrary HTTP GET requests against internal network resources, loopback interfaces, and cloud metadata services.

TL;DR

A critical SSRF vulnerability in Ech0 allows authorized users to query internal networks and cloud metadata services via the connect handler, exposing sensitive environment configurations.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Class: Server-Side Request Forgery (SSRF)
  • CWE ID: CWE-918
  • CVSS Score: 8.0 (High)
  • Vulnerable Component: fetchPeerConnectInfo function
  • Attack Vector: Network (Authenticated User Input)
  • Impact: Information Disclosure / Internal Network Access
  • Exploit Status: Conceptualized / PoC Available

Affected Systems

  • Ech0 (github.com/lin-snow/ech0)
  • Cloud Metadata Services (indirectly)
  • Internal Corporate Networks (indirectly)
  • Ech0: Prior to commit 091d26d2d942df6df9f520328d2f9cf2592bbefc (Fixed in: 091d26d2d942df6df9f520328d2f9cf2592bbefc)

Code Analysis

Commit: 091d26d

Implemented httpUtil.SendSafeRequest and ValidatePublicHTTPURL to resolve SSRF vulnerability

Mitigation Strategies

  • Upgrade to a patched version of Ech0 containing commit 091d26d2d942df6df9f520328d2f9cf2592bbefc.
  • Enforce network egress filtering to restrict the application from reaching internal IP addresses (RFC 1918).
  • Implement AWS IMDSv2 on all cloud instances to block SSRF requests that rely on basic GET operations.
  • Use strict firewall rules to block access to the cloud metadata IP address (169.254.169.254) from the application container.

Remediation Steps:

  1. Identify all deployed instances of the github.com/lin-snow/ech0 application.
  2. Update the application repository to pull in commit 091d26d2d942df6df9f520328d2f9cf2592bbefc or later.
  3. Recompile and deploy the patched application.
  4. Review the registered 'Connect' entries in the database to identify and remove any suspicious or malicious URLs.
  5. Review access logs for requests to /api/connects/info to identify potential past exploitation attempts.

References

Read the full report for GHSA-8MC6-XJPR-H98X on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)