Description

Echo is a Go web framework. In versions 5.0.0 through 5.0.2 on Windows, Echo’s `middleware.Static` using the default filesystem allows path traversal via backslashes, enabling unauthenticated remote file read outside the static root. In `middleware/static.go`, the requested path is unescaped and normalized with `path.Clean` (URL semantics). `path.Clean` does not treat `\` as a path separator, so `..\` sequences remain in the cleaned path. The resulting path is then passed to `currentFS.Open(...)`. When the filesystem is left at the default (nil), Echo uses `defaultFS` which calls `os.Open` (`echo.go:792`). On Windows, `os.Open` treats `\` as a path separator and resolves `..\`, allowing traversal outside the static root. Version 5.0.3 fixes the issue.

INFO

Published Date :

2026-02-19T15:49:02.402Z

Last Modified :

2026-02-19T19:46:01.829Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-25766 vulnerability.

Vendors Products
Labstack
  • Echo
Microsoft
  • Windows
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-25766.

URL Resource
https://github.com/labstack/echo/commit/b1d443086ea27cf51345ec72a71e9b7e9d9ce5f1 cve-icon cve-icon
https://github.com/labstack/echo/pull/2891 cve-icon cve-icon
https://github.com/labstack/echo/security/advisories/GHSA-pgvm-wxw2-hrv9 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact