GHSA-FPW6-HRG5-Q5X5: Irrevocable Access Tokens and Nil-Pointer Dereference in Ech0
Vulnerability ID: GHSA-FPW6-HRG5-Q5X5
CVSS Score: 7.4
Published: 2026-05-07
Ech0 access tokens created with the 'never expire' option generate JSON Web Tokens (JWT) missing the 'exp' claim. This structural omission causes a nil-pointer dereference during logout and prevents the JTI blacklisting mechanism from functioning. Consequently, leaked access tokens cannot be revoked by administrators.
TL;DR
A missing expiration claim in Ech0's 'never expire' JWTs causes panics and silently breaks token revocation, allowing attackers to maintain perpetual access with stolen tokens.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-613, CWE-476, CWE-300
- Attack Vector: Network
- CVSS Score: 7.4
- Impact: Persistent Authorization Bypass
- Exploit Status: Proof of Concept
- Component: JWT Handler & Authentication Repository
Affected Systems
- Ech0 (all versions prior to commit eab62379)
-
Ech0: < 1.4.8 (Fixed in:
1.4.8)
Code Analysis
Commit: eab6237
Fix token expiration fallback and ensure JTI revocation during admin deletion
Mitigation Strategies
- Update Ech0 to version 1.4.8 or later
- Rotate the global JWT_SECRET in application configuration to invalidate all currently circulating tokens
- Audit database records for legacy tokens with missing expiration configuration
Remediation Steps:
- Pull the latest Ech0 release (v1.4.8) from the official repository.
- Restart the Ech0 application service to apply the updated binary.
- Identify all access tokens currently configured with 'never expire' via the administrative interface.
- Delete and recreate these specific tokens to ensure they utilize the new 100-year fallback logic.
- If active exploitation is suspected, rotate the JWT_SECRET environment variable immediately.
References
Read the full report for GHSA-FPW6-HRG5-Q5X5 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)