github labstack/echo v4.15.3
v4.15.3 - Static encoded-separator route bypass fix (GHSA-vfp3-v2gw-7wfq)
on GitHub

7 hours ago

Security

  • fix(static): reject encoded path separators that bypass route-level middleware by @vishr in #3011

Fixes GHSA-vfp3-v2gw-7wfq: an encoded path separator (%2F or %5C) in a static file URL could bypass route-level middleware (e.g. authentication on a sibling route) and disclose static files. Both StaticDirectoryHandler (used by Static/StaticFS) and the Static middleware are affected. Backport of the v5 fix (#3009, released in v5.2.0). Thanks to @a-tt-om and @oran-gugu for reporting.

Full Changelog: v4.15.2...v4.15.3

Check out latest releases or
releases around labstack/echo v4.15.3

Don't miss a new echo release

NewReleases is sending notifications on new releases.

Get notifications