DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-MQXV-9RM6-W8QC: GHSA-MQXV-9RM6-W8QC: CPU Exhaustion in Ech0 i18n Middleware via Accept-Language Header Parser Bypass

GHSA-MQXV-9RM6-W8QC: CPU Exhaustion in Ech0 i18n Middleware via Accept-Language Header Parser Bypass

Vulnerability ID: GHSA-MQXV-9RM6-W8QC
CVSS Score: 8.7
Published: 2026-07-14

A critical Denial of Service (DoS) vulnerability in the Ech0 publishing platform allows unauthenticated remote attackers to exhaust CPU resources via a crafted Accept-Language header. By utilizing underscore separators instead of hyphens, the attack bypasses the CVE-2022-32149 guard within the Go language tag parser, triggering a quadratic-time complexity operation.

TL;DR

Unauthenticated remote attackers can exhaust server CPU resources by sending a crafted 1 MiB Accept-Language header using underscores, bypassing CVE-2022-32149.


⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-770
  • Attack Vector: Network
  • CVSS: 8.7 (High)
  • Complexity: Low
  • Impact: Denial of Service (CPU Exhaustion)
  • Exploit Status: Proof-of-Concept Available
  • KEV Status: Not Listed

Affected Systems

  • Ech0 publishing platform (github.com/lin-snow/ech0)
  • github.com/lin-snow/ech0: < 5.0.1 (Fixed in: 5.0.1)

Mitigation Strategies

  • Upgrade to Ech0 version 5.0.1 or higher.
  • Implement validation on the incoming Accept-Language header to limit length and the count of separators before parsing.
  • Configure front-end reverse proxies or WAFs to restrict HTTP header lengths.

Remediation Steps:

  1. Verify your current version of github.com/lin-snow/ech0 is below 5.0.1.
  2. Modify your go.mod file to require github.com/lin-snow/ech0 v5.0.1 or apply the defensive middleware patch directly in internal/i18n/i18n.go.
  3. Recompile and deploy the updated binary to your production environments.

References


Read the full report for GHSA-MQXV-9RM6-W8QC on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)