CVE-2020-36565
published 2022-12-07CVE-2020-36565: Due to improper sanitization of user input on Windows, the static file handler allows for directory traversal, allowing an attacker to read files outside of…
PriorityP428medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
1.33%
67.6th percentile
Due to improper sanitization of user input on Windows, the static file handler allows for directory traversal, allowing an attacker to read files outside of the target directory that the server has permission to read.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-github-labstack-echo | — | — |
| debian | golang-github-labstack-echo.v2 | — | — |
| debian | golang-github-labstack-echo.v3 | — | — |
| github.com | labstack_echo_v4 | >= 0 < 4.2.0 | 4.2.0 |
| github.com | labstack_echo_v4 | >= 0 < 4.1.18-0.20201215153152-4422e3b66b9f | 4.1.18-0.20201215153152-4422e3b66b9f |
| github.com | labstack_echo_v4_github.com_labstack_echo_v4 | < 4.1.18-0.20201215153152-4422e3b66b9f | 4.1.18-0.20201215153152-4422e3b66b9f |
| github.com | labstack_echo_v5 | >= 5.0.0 < 5.0.3 | 5.0.3 |
| labstack | echo | < 4.2.0 | 4.2.0 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
ghsa5.3MEDIUM
osv5.3MEDIUM
vendor_debian5.3LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Echo has a Windows path traversal via backslash in middleware.Static default filesystem
ghsa·2026-02-17·CVSS 5.3
CVE-2026-25766 [MEDIUM] CWE-22 Echo has a Windows path traversal via backslash in middleware.Static default filesystem
Echo has a Windows path traversal via backslash in middleware.Static default filesystem
### Summary
On Windows, Echo’s `middleware.Static` using the default filesystem allows path traversal via backslashes, enabling
unauthenticated remote file read outside the static root.
### Details
In `middleware/static.go`, the requested path is unescaped and normalized with `path.Clean` (URL semantics).
`path.Clean` does **not** treat `\` as a path separator, so `..\` sequences remain in the cleaned path. The resulting
path is then passed to `currentFS.Open(...)`. When the filesystem is left at the default (nil), Echo uses `defaultFS`
which calls `os.Open` (`echo.go:792`). On Windows, `os.Open` treats `\` as a path separator and resolves `..\`,
allowing traversal outside the static root.
Relevant
OSV
Echo has a Windows path traversal via backslash in middleware.Static default filesystem
osv·2026-02-17·CVSS 5.3
CVE-2026-25766 [MEDIUM] Echo has a Windows path traversal via backslash in middleware.Static default filesystem
Echo has a Windows path traversal via backslash in middleware.Static default filesystem
### Summary
On Windows, Echo’s `middleware.Static` using the default filesystem allows path traversal via backslashes, enabling
unauthenticated remote file read outside the static root.
### Details
In `middleware/static.go`, the requested path is unescaped and normalized with `path.Clean` (URL semantics).
`path.Clean` does **not** treat `\` as a path separator, so `..\` sequences remain in the cleaned path. The resulting
path is then passed to `currentFS.Open(...)`. When the filesystem is left at the default (nil), Echo uses `defaultFS`
which calls `os.Open` (`echo.go:792`). On Windows, `os.Open` treats `\` as a path separator and resolves `..\`,
allowing traversal outside the static root.
Relevant
OSV
CVE-2020-36565: Due to improper sanitization of user input on Windows, the static file handler allows for directory traversal, allowing an attacker to read files outs
osv·2022-12-07·CVSS 5.3
CVE-2020-36565 [MEDIUM] CVE-2020-36565: Due to improper sanitization of user input on Windows, the static file handler allows for directory traversal, allowing an attacker to read files outs
Due to improper sanitization of user input on Windows, the static file handler allows for directory traversal, allowing an attacker to read files outside of the target directory that the server has permission to read.
OSV
Echo vulnerable to directory traversal
osv·2022-12-07
CVE-2020-36565 [MEDIUM] Echo vulnerable to directory traversal
Echo vulnerable to directory traversal
Due to improper sanitization of user input on Windows, the static file handler allows for directory traversal, allowing an attacker to read files outside of the target directory that the server has permission to read.
GHSA
Echo vulnerable to directory traversal
ghsa·2022-12-07
CVE-2020-36565 [MEDIUM] CWE-22 Echo vulnerable to directory traversal
Echo vulnerable to directory traversal
Due to improper sanitization of user input on Windows, the static file handler allows for directory traversal, allowing an attacker to read files outside of the target directory that the server has permission to read.
OSV
Directory traversal on Windows in github.com/labstack/echo/v4
osv·2021-04-14
CVE-2020-36565 Directory traversal on Windows in github.com/labstack/echo/v4
Directory traversal on Windows in github.com/labstack/echo/v4
Due to improper sanitization of user input on Windows, the static file handler allows for directory traversal, allowing an attacker to read files outside of the target directory that the server has permission to read.
Debian
CVE-2020-36565: golang-github-labstack-echo - Due to improper sanitization of user input on Windows, the static file handler a...
vendor_debian·2020·CVSS 5.3
CVE-2020-36565 [MEDIUM] CVE-2020-36565: golang-github-labstack-echo - Due to improper sanitization of user input on Windows, the static file handler a...
Due to improper sanitization of user input on Windows, the static file handler allows for directory traversal, allowing an attacker to read files outside of the target directory that the server has permission to read.
Scope: local
bookworm: resolved
forky: resolved
sid: resolved
trixie: resolved
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/labstack/echo/commit/4422e3b66b9fd498ed1ae1d0242d660d0ed3faaahttps://github.com/labstack/echo/pull/1718https://pkg.go.dev/vuln/GO-2021-0051https://github.com/labstack/echo/commit/4422e3b66b9fd498ed1ae1d0242d660d0ed3faaahttps://github.com/labstack/echo/pull/1718https://pkg.go.dev/vuln/GO-2021-0051
2022-12-07
Published