{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/ech0/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["ssrf","ech0","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Ech0 application suffers from an unauthenticated Server-Side Request Forgery (SSRF) vulnerability in its website preview feature. The \u003ccode\u003e/api/website/title\u003c/code\u003e endpoint, intended to fetch website titles, accepts a fully attacker-controlled URL without authentication. This allows anyone who can reach the Ech0 instance to force the server to make HTTP/HTTPS requests to arbitrary URLs. The application lacks a host allowlist, SSRF filter, and disables TLS certificate validation (\u003ccode\u003eInsecureSkipVerify: true\u003c/code\u003e). The backend reads the full HTML body into memory, which combined with enabled HTTP redirect following and the insecure TLS setting, allows attackers to target internal services and potentially cause a denial of service. The vulnerability is present in Ech0 versions prior to 1.4.8-0.20260401031029-4ca56fea5ba4.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an Ech0 instance and the \u003ccode\u003e/api/website/title\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious URL targeting an internal resource or a service on the Ech0 server\u0026rsquo;s network.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an unauthenticated GET request to \u003ccode\u003e/api/website/title\u003c/code\u003e with the \u003ccode\u003ewebsite_url\u003c/code\u003e parameter set to the malicious URL (e.g., \u003ccode\u003ehttp://127.0.0.1:6277/api/website/title?website_url=http://host.docker.internal:9999/poc_ssrf_proof.html\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe Ech0 server, lacking proper validation, makes an HTTP(S) request to the attacker-specified URL using \u003ccode\u003einternal/util/http/http.go\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eIf the targeted URL redirects, the Ech0 server follows the redirect due to the default \u003ccode\u003ehttp.Client\u003c/code\u003e behavior.\u003c/li\u003e\n\u003cli\u003eThe Ech0 server reads the entire response body into memory using \u003ccode\u003eio.ReadAll\u003c/code\u003e, potentially leaking sensitive information or causing a denial of service if the response is large.\u003c/li\u003e\n\u003cli\u003eThe Ech0 server parses the HTML body looking for the title and returns the title, or an error message, to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to information from internal services or causes a denial-of-service condition by exhausting server resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis SSRF vulnerability allows unauthenticated attackers to force the Ech0 server to make HTTP(S) requests to internal or reserved targets reachable from the server\u0026rsquo;s network. A successful attack can lead to information disclosure, such as leaking cloud metadata from \u003ccode\u003e169.254.169.254\u003c/code\u003e-class endpoints, or access to internal services that are not exposed to the public internet. The \u003ccode\u003eio.ReadAll\u003c/code\u003e function makes the Ech0 server susceptible to denial-of-service attacks if the attacker provides a URL that returns a large response. The number of victims depends on the deployment of the Ech0 application and the accessibility of internal resources from the Ech0 server\u0026rsquo;s network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Ech0 SSRF via Website Title API\u003c/code\u003e to detect attempts to exploit this vulnerability by monitoring requests to the \u003ccode\u003e/api/website/title\u003c/code\u003e endpoint with suspicious URLs.\u003c/li\u003e\n\u003cli\u003eBlock access to internal metadata endpoints like \u003ccode\u003e169.254.169.254\u003c/code\u003e from the Ech0 server if not explicitly required, mitigating the risk of cloud metadata exposure.\u003c/li\u003e\n\u003cli\u003eApply the patch by upgrading to Ech0 version 1.4.8-0.20260401031029-4ca56fea5ba4 or later, addressing the underlying code flaws (CVE-2026-35036).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T03:30:53Z","date_published":"2026-04-03T03:30:53Z","id":"/briefs/2026-04-ech0-ssrf/","summary":"Ech0 is vulnerable to Server-Side Request Forgery (SSRF) due to an unauthenticated API endpoint (`/api/website/title`) that fetches website titles from user-controlled URLs, lacking proper validation and TLS verification, allowing attackers to access internal resources and potentially cause denial of service.","title":"Ech0 Unauthenticated Server-Side Request Forgery Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-ech0-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed — Ech0","version":"https://jsonfeed.org/version/1.1"}