GHSA-rj4g-rqgh-rx9h: Ech0 comment model's Email field returned on public /api/comments endpoints

May 7, 2026

The Comment model serializes its Email field through the public comment-listing API. internal/model/comment/comment.go:33 uses json:"email", while adjacent PII fields (IPHash, UserAgent) correctly use json:"-". The public endpoints GET /api/comments?echo_id=X and GET /api/comments/public?limit=N both live on PublicRouterGroup with no authentication. Alice retrieves every guest commenter’s email address on the instance with a few unauthenticated HTTP calls.

References

github.com/advisories/GHSA-rj4g-rqgh-rx9h
github.com/lin-snow/Ech0/commit/cb8d7a997dd8f573ef0e22e4e6b23b2b8ee92ebd
github.com/lin-snow/Ech0/security/advisories/GHSA-rj4g-rqgh-rx9h

Code Behaviors & Features

Detect and mitigate GHSA-rj4g-rqgh-rx9h with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →