CVE-2026-35037

Name of the Vulnerable Software and Affected Versions Ech0 versions prior to 4.2.8

Description The GET /api/website/title endpoint is susceptible to Server-Side Request Forgery (SSRF). The endpoint accepts an arbitrary URL via the website url query parameter and makes a server-side HTTP request to it without validating the target host or IP address. This allows an attacker to reach internal network services, cloud metadata endpoints (169.254.169.254), and localhost-bound services. Partial response data is exfiltrated via the HTML tag extraction. The vulnerability exists due to the lack of authentication for the route, no input validation of the URL, unrestricted outbound requests by the HTTP client, and the parsing of the response body for <title> tags. An attacker can exploit this to steal cloud credentials, perform internal network reconnaissance, interact with localhost services, bypass firewalls, and exfiltrate data. The attack requires no authentication and can be performed by any anonymous internet user with network access to the Ech0 instance.

Recommendations Add URL validation to the GetWebsiteTitle function to block requests to private/internal IP ranges and restrict allowed schemes (http and https). Implement hostname resolution and block requests to private IPs. Consider removing InsecureSkipVerify: true from the HTTP client configuration. Disable redirect following or re-validate the target IP after each redirect to prevent DNS rebinding. Add rate limiting to the affected endpoint.