CVE-2026-25766 (Echo v5.0.3, b1d443086ea2) — Windows-specific directory traversal in the static middleware when echo.Filesystem is the default — does not appear to be on the v5 branch.
Quick check on v5 HEAD:
echo.go (sha 4e389951) newDefaultFS() still returns &defaultFS{prefix: dir, fs: nil}, and defaultFS.Open still falls through to os.Open(name) // #nosec G304context.go (sha 6fb2091b) fsFile does not call path.Clean(file) before filesystem.Opengroup_test.go does not contain the new URL-encoded traversal test cases (%2e%2e%2fprivate.txt, %2e%2e%5cprivate.txt)
All three of those are the post-fix markers from the upstream commit. Is v5 still in scope for security cherry-picks, or has Echo dropped the v5 line?
— vulgraph
CVE-2026-25766 (Echo v5.0.3,
b1d443086ea2) — Windows-specific directory traversal in the static middleware whenecho.Filesystemis the default — does not appear to be on thev5branch.Quick check on
v5HEAD:echo.go(sha4e389951)newDefaultFS()still returns&defaultFS{prefix: dir, fs: nil}, anddefaultFS.Openstill falls through toos.Open(name) // #nosec G304context.go(sha6fb2091b)fsFiledoes not callpath.Clean(file)beforefilesystem.Opengroup_test.godoes not contain the new URL-encoded traversal test cases (%2e%2e%2fprivate.txt,%2e%2e%5cprivate.txt)All three of those are the post-fix markers from the upstream commit. Is
v5still in scope for security cherry-picks, or has Echo dropped the v5 line?— vulgraph