GHSA-pj6q-4vq4-r8cg: Ech0 allows PUT /api/echo/like/:id unauthenticated: anonymous callers to modify any echo's fav_count

May 7, 2026

PUT /api/echo/like/:id at internal/router/echo.go:12 is registered on PublicRouterGroup with no authentication and no rate limit. Anonymous callers increment the fav_count counter on any echo (including private echoes) by UUID, repeat the request without deduplication, and trigger a database write plus a four-key cache invalidation on every call. Alice harvests echo UUIDs from the public GET /api/echo/page response, inflates fav counts at will, and spams writes to amplify load on the DB and cache layers.

References

github.com/advisories/GHSA-pj6q-4vq4-r8cg
github.com/lin-snow/Ech0/commit/cecc2c19b590df85d79ea98457faa143130cd620
github.com/lin-snow/Ech0/security/advisories/GHSA-pj6q-4vq4-r8cg

Code Behaviors & Features

Detect and mitigate GHSA-pj6q-4vq4-r8cg with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →