CVE-2026-25766

MEDIUM 5.3

Echo has a Windows path traversal via backslash in middleware.Static default filesystem

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

0th

Echo is a Go web framework. In versions 5.0.0 through 5.0.2 on Windows, Echo’s `middleware.Static` using the default filesystem allows path traversal via backslashes, enabling unauthenticated remote file read outside the static root. In `middleware/static.go`, the requested path is unescaped and normalized with `path.Clean` (URL semantics). `path.Clean` does not treat `\` as a path separator, so `..\` sequences remain in the cleaned path. The resulting path is then passed to `currentFS.Open(...)`. When the filesystem is left at the default (nil), Echo uses `defaultFS` which calls `os.Open` (`echo.go:792`). On Windows, `os.Open` treats `\` as a path separator and resolves `..\`, allowing traversal outside the static root. Version 5.0.3 fixes the issue.

CWE	CWE-22
Vendor	labstack
Product	echo
Published	Feb 19, 2026
Last Updated	Feb 19, 2026

Stay Ahead of the Next One

Get instant alerts for labstack echo

Be the first to know when new medium vulnerabilities affecting labstack echo are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Affected Versions

labstack / echo

>= 5.0.0, < 5.0.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/labstack/echo/security/advisories/GHSA-pgvm-wxw2-hrv9 github.com: https://github.com/labstack/echo/pull/2891 github.com: https://github.com/labstack/echo/commit/b1d443086ea27cf51345ec72a71e9b7e9d9ce5f1