GHSA-8mc6-xjpr-h98x: Ech0 has Server-Side Request Forgery (SSRF) via Connect Handler fetchPeerConnectInfo

May 7, 2026

The fetchPeerConnectInfo function in internal/service/connect/connect.go:214-239 uses httpUtil.SendRequest (no SSRF protection) instead of SendSafeRequest (which has ValidatePublicHTTPURL with private IP blocking). This allows authenticated users to make the server request arbitrary URLs including internal/cloud metadata endpoints.

References

github.com/advisories/GHSA-8mc6-xjpr-h98x
github.com/lin-snow/Ech0
github.com/lin-snow/Ech0/commit/091d26d2d942df6df9f520328d2f9cf2592bbefc
github.com/lin-snow/Ech0/security/advisories/GHSA-8mc6-xjpr-h98x

Code Behaviors & Features

Detect and mitigate GHSA-8mc6-xjpr-h98x with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →