GHSA-69hx-63pv-f8f4: Ech0 has Stored XSS via SVG Upload and Content-Type Validation Bypass in File Upload

April 10, 2026

The file upload endpoint validates Content-Type using only the client-supplied multipart header, with no server-side content inspection or file extension validation. Combined with an unauthenticated static file server that determines Content-Type from file extension, this allows an admin to upload HTML/SVG files containing JavaScript that execute in the application’s origin when visited by any user. Additionally, image/svg+xml is in the default allowed types, enabling stored XSS via SVG without any Content-Type spoofing.

References

github.com/advisories/GHSA-69hx-63pv-f8f4
github.com/lin-snow/Ech0
github.com/lin-snow/Ech0/releases/tag/v4.4.3
github.com/lin-snow/Ech0/security/advisories/GHSA-69hx-63pv-f8f4

Code Behaviors & Features

Detect and mitigate GHSA-69hx-63pv-f8f4 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →