DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-P64J-F4X9-WQ66: GHSA-P64J-F4X9-WQ66: OAuth Redirect URI Path Truncation in Ech0 Leads to Authorization Code Theft

#security #cve #cybersecurity #ghsa

GHSA-P64J-F4X9-WQ66: OAuth Redirect URI Path Truncation in Ech0 Leads to Authorization Code Theft

Vulnerability ID: GHSA-P64J-F4X9-WQ66
CVSS Score: 8.1
Published: 2026-05-07

The Ech0 lightweight publishing platform contains a critical vulnerability in its OAuth 2.0 implementation where redirect URI validation ignores the path component. This oversight permits attackers to route authenticated victims to malicious endpoints on trusted domains, resulting in the theft of authorization codes and subsequent account takeover.

TL;DR

Improper validation of OAuth redirect URIs in Ech0 allows attackers to append malicious paths to trusted domains. Exploitation leads to the theft of authorization exchange codes and full account takeover.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-601
  • Attack Vector: Network
  • CVSS Score: 8.1 (High)
  • Impact: Account Takeover via Code Theft
  • Exploit Status: Proof of Concept
  • Authentication Required: None

Affected Systems

  • Ech0 open-source publishing platform
  • Ech0: < a7e8b8e84bd1e3db090dfb720f2c6c433356b442 (Fixed in: a7e8b8e84bd1e3db090dfb720f2c6c433356b442)

Code Analysis

Commit: a7e8b8e

Fix OAuth redirect URI validation by normalizing and checking the complete path.

@@ -50,8 +50,11 @@ func parseAndValidateClientRedirect(redirectURI string, allowedURIs []string) (b
-       if strings.EqualFold(redirectURL.Scheme, allowURL.Scheme) &&
-          strings.EqualFold(redirectURL.Host, allowURL.Host) {
+       redirectNorm := strings.ToLower(redirectURL.Scheme) + "://" + strings.ToLower(redirectURL.Host) + redirectURL.Path
+       allowNorm := strings.ToLower(allowURL.Scheme) + "://" + strings.ToLower(allowURL.Host) + allowURL.Path
+       if redirectNorm == allowNorm {
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub Advisory: Exploitation steps detailing URI poisoning and referer leakage.

Mitigation Strategies

  • Update application codebase to a version containing the patch commit a7e8b8e84bd1e3db090dfb720f2c6c433356b442.
  • Audit the Auth.Redirect.AllowedReturnURLs configuration to limit whitelisted domains.
  • Implement strict Web Application Firewall (WAF) rules to validate OAuth redirect URI structures.
  • Monitor application logs for anomalous OAuth callback endpoints and open redirect patterns.

Remediation Steps:

  1. Identify the current running version of the Ech0 deployment.
  2. Pull the latest updates from the official Ech0 repository, ensuring commit a7e8b8e84bd1e3db090dfb720f2c6c433356b442 is included.
  3. Review the application configuration file and explicitly define the full callback URLs rather than relying on domain-level trust.
  4. Restart the Ech0 application service to apply the updated binary and configuration.
  5. Execute functional tests against the /login and /bind endpoints to confirm malicious paths are rejected.

References

Read the full report for GHSA-P64J-F4X9-WQ66 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)