GHSA-MQXV-9RM6-W8QC: CPU Exhaustion in Ech0 i18n Middleware via Accept-Language Header Parser Bypass
Vulnerability ID: GHSA-MQXV-9RM6-W8QC
CVSS Score: 8.7
Published: 2026-07-14
A critical Denial of Service (DoS) vulnerability in the Ech0 publishing platform allows unauthenticated remote attackers to exhaust CPU resources via a crafted Accept-Language header. By utilizing underscore separators instead of hyphens, the attack bypasses the CVE-2022-32149 guard within the Go language tag parser, triggering a quadratic-time complexity operation.
TL;DR
Unauthenticated remote attackers can exhaust server CPU resources by sending a crafted 1 MiB Accept-Language header using underscores, bypassing CVE-2022-32149.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-770
- Attack Vector: Network
- CVSS: 8.7 (High)
- Complexity: Low
- Impact: Denial of Service (CPU Exhaustion)
- Exploit Status: Proof-of-Concept Available
- KEV Status: Not Listed
Affected Systems
- Ech0 publishing platform (github.com/lin-snow/ech0)
-
github.com/lin-snow/ech0: < 5.0.1 (Fixed in:
5.0.1)
Mitigation Strategies
- Upgrade to Ech0 version 5.0.1 or higher.
- Implement validation on the incoming Accept-Language header to limit length and the count of separators before parsing.
- Configure front-end reverse proxies or WAFs to restrict HTTP header lengths.
Remediation Steps:
- Verify your current version of github.com/lin-snow/ech0 is below 5.0.1.
- Modify your go.mod file to require github.com/lin-snow/ech0 v5.0.1 or apply the defensive middleware patch directly in internal/i18n/i18n.go.
- Recompile and deploy the updated binary to your production environments.
References
Read the full report for GHSA-MQXV-9RM6-W8QC on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)